Bug 29022

Summary: python-pikepdf new security issue CVE-2021-29421
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-pikepdf-2.2.4-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-05-29 21:37:08 CEST 
Fedora has issued an advisory on April 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZCNN7VUZORHBCGAJURZRCUTFLCK2ZPG2/

The issue is fixed upstream in 2.10.0.
David Walser 2021-05-29 21:37:20 CEST

Status comment: (none) => Fixed upstream in 2.10.0

Comment 1 David GEIGER 2021-06-07 12:47:51 CEST 
Done for mga8!
Comment 2 David Walser 2021-06-09 01:56:41 CEST 
RPMS:
python3-pikepdf-2.10.0-1.mga8
python-pikepdf-doc-2.10.0-1.mga8

from python-pikepdf-2.10.0-1.mga8.src.rpm

Status comment: Fixed upstream in 2.10.0 => (none)
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2021-06-11 22:17:38 CEST 
mga8, x64

CVE-2021-29421
There does not appear to be a PoC for this issue.

Clean update.
https://pikepdf.readthedocs.io/en/latest/index.html

Found two simple examples of its use.  Note that only python3 is supported.

Remove last page from a document.
$ cat test.py
import pikepdf
with pikepdf.open( 'input.pdf' ) as pdf:
    num_pages = len( pdf.pages )
    del pdf.pages[-1]
    pdf.save( 'output.pdf' )

Ran this against a local PDF file and checked output.pdf in okular to see that the last page was removed.

Rotate all pages of a document by 180°.
$ cat rotate.py
# Rotate all pages in a file by 180 degrees
import pikepdf
my_pdf = pikepdf.Pdf.open( 'test.pdf' )
for page in my_pdf.pages:
   page.Rotate = 180
my_pdf.save( 'test-rotated.pdf' )

Ran this and sure enough all 28 pages appeared upside-down in the output.
pikepdf has a lot more capabilities but this shows that it is functional.
Waiting for the advisory in case something has been missed.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-06-16 20:25:08 CEST 
Assigning OK for mga8.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-06-17 01:34:48 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-06-18 20:08:40 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-06-18 21:26:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0268.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED