Debian-LTS has issued an advisory on June 3: https://www.debian.org/lts/security/2022/dla-3039 The issue is fixed upstream in 1.27.5: https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.27.5Whiteboard: (none) => MGA8TOO
version 1.27.5 pushed into mga8/9 src: - python-pypdf2-1.27.5-1.mga8
Whiteboard: MGA8TOO => (none)CC: (none) => mageiaStatus comment: Fixed upstream in 1.27.5 => (none)Assignee: python => qa-bugsVersion: Cauldron => 8
python3-pypdf2-1.27.5-1.mga8 from python-pypdf2-1.27.5-1.mga8.src.rpm
Is this in updates testing yet? Could not find it on my usual mirror.
CC: (none) => tarazed25
Meanwhile tested the core version: mga8, x64 Starting with python3-pypdf2-1.26.0-5.mga8 Reproducer at https://github.com/py-pdf/PyPDF2/issues/329 Before update: $ ./poc_CVE-2022-24859 malicious.pdf <hung - evidence of the infinite loop>
The old-fashioned way worked though so there must be something wrong with my qarepo setup on this machine. After update: $ ./poc_CVE-2022-24859 malicious.pdf Traceback (most recent call last): File "./poc_CVE-2022-24859", line 10, in <module> contentstream = ContentStream(page.getContents(), pdf) File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2768, in __init__ self.__parseContentStream(stream) File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2786, in __parseContentStream ii = self._readInlineImage(stream) File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2827, in _readInlineImage raise utils.PdfReadError("Unexpected end of stream") PyPDF2.utils.PdfReadError: Unexpected end of stream $ urpmq --whatrequires python3-pypdf2 kraft pdf-stapler Tried kraft but did not know what to do with it when the gui appeared - followed the wizard and exited after poking about. Doubtful if the module was encountered on the way. Ran a trace on pdf-stapler without fully understanding the input parameters. $ strace -o pypdf.trace pdf-stapler zip A=AN202004April2020.pdf 4-10 B=AN201904April2019.pdf 4-10 test.pdf which generated lots of errors and no test output. The last line of the log reads: IndexError: list index out of range The trace file ran to 900 kB with no sign of pypdf. Going to pass this on the basis that the vulnerability has been trapped and installation went smoothly.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0224.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED