Bug 29022 - python-pikepdf new security issue CVE-2021-29421
Summary: python-pikepdf new security issue CVE-2021-29421
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Reported: 2021-05-29 21:37 CEST by David Walser
Modified: 2021-06-17 01:34 CEST (History)
4 users (show)

See Also:
Source RPM: python-pikepdf-2.2.4-1.mga8.src.rpm
Status comment:


Description David Walser 2021-05-29 21:37:08 CEST
Fedora has issued an advisory on April 5:

The issue is fixed upstream in 2.10.0.
David Walser 2021-05-29 21:37:20 CEST

Status comment: (none) => Fixed upstream in 2.10.0

Comment 1 David GEIGER 2021-06-07 12:47:51 CEST
Done for mga8!
Comment 2 David Walser 2021-06-09 01:56:41 CEST

from python-pikepdf-2.10.0-1.mga8.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 2.10.0 => (none)

Comment 3 Len Lawrence 2021-06-11 22:17:38 CEST
mga8, x64

There does not appear to be a PoC for this issue.

Clean update.

Found two simple examples of its use.  Note that only python3 is supported.

Remove last page from a document.
$ cat test.py
import pikepdf
with pikepdf.open( 'input.pdf' ) as pdf:
    num_pages = len( pdf.pages )
    del pdf.pages[-1]
    pdf.save( 'output.pdf' )

Ran this against a local PDF file and checked output.pdf in okular to see that the last page was removed.

Rotate all pages of a document by 180°.
$ cat rotate.py
# Rotate all pages in a file by 180 degrees
import pikepdf
my_pdf = pikepdf.Pdf.open( 'test.pdf' )
for page in my_pdf.pages:
   page.Rotate = 180
my_pdf.save( 'test-rotated.pdf' )

Ran this and sure enough all 28 pages appeared upside-down in the output.
pikepdf has a lot more capabilities but this shows that it is functional.
Waiting for the advisory in case something has been missed.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2021-06-16 20:25:08 CEST
Assigning OK for mga8.

Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-06-17 01:34:48 CEST

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Note You need to log in before you can comment on or make changes to this bug.