Bug 30511 - python-pypdf2 new security issue CVE-2022-24859
Summary: python-pypdf2 new security issue CVE-2022-24859
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-06 18:22 CEST by David Walser
Modified: 2022-06-09 22:50 CEST (History)
5 users (show)

See Also:
Source RPM: python-pypdf2-1.26.0-8.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-06-06 18:22:01 CEST 
Debian-LTS has issued an advisory on June 3:
https://www.debian.org/lts/security/2022/dla-3039

The issue is fixed upstream in 1.27.5:
https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79

Mageia 8 is also affected.
David Walser 2022-06-06 18:22:13 CEST

Status comment: (none) => Fixed upstream in 1.27.5
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2022-06-06 21:36:21 CEST 
version 1.27.5 pushed into mga8/9

src:
    - python-pypdf2-1.27.5-1.mga8

Whiteboard: MGA8TOO => (none)
CC: (none) => mageia
Status comment: Fixed upstream in 1.27.5 => (none)
Assignee: python => qa-bugs
Version: Cauldron => 8

Comment 2 David Walser 2022-06-08 00:23:56 CEST 
python3-pypdf2-1.27.5-1.mga8

from python-pypdf2-1.27.5-1.mga8.src.rpm
Comment 3 Len Lawrence 2022-06-08 10:26:26 CEST 
Is this in updates testing yet?  Could not find it on my usual mirror.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2022-06-08 10:27:58 CEST 
Meanwhile tested the core version:
mga8, x64
Starting with python3-pypdf2-1.26.0-5.mga8
Reproducer at https://github.com/py-pdf/PyPDF2/issues/329

Before update:
$ ./poc_CVE-2022-24859 malicious.pdf
<hung - evidence of the infinite loop>
Comment 5 Len Lawrence 2022-06-08 11:17:43 CEST 
The old-fashioned way worked though so there must be something wrong with my qarepo setup on this machine.

After update:
$ ./poc_CVE-2022-24859 malicious.pdf
Traceback (most recent call last):
  File "./poc_CVE-2022-24859", line 10, in <module>
    contentstream = ContentStream(page.getContents(), pdf)
  File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2768, in __init__
    self.__parseContentStream(stream)
  File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2786, in __parseContentStream
    ii = self._readInlineImage(stream)
  File "/usr/lib/python3.8/site-packages/PyPDF2/pdf.py", line 2827, in _readInlineImage
    raise utils.PdfReadError("Unexpected end of stream")
PyPDF2.utils.PdfReadError: Unexpected end of stream

$ urpmq --whatrequires python3-pypdf2
kraft
pdf-stapler

Tried kraft but did not know what to do with it when the gui appeared - followed the wizard and exited after poking about.  Doubtful if the module was encountered on the way.
Ran a trace on pdf-stapler without fully understanding the input parameters.
$ strace -o pypdf.trace pdf-stapler zip A=AN202004April2020.pdf 4-10 B=AN201904April2019.pdf 4-10 test.pdf

which generated lots of errors and no test output.  The last line of the log reads:
IndexError: list index out of range

The trace file ran to 900 kB with no sign of pypdf.

Going to pass this on the basis that the vulnerability has been trapped and installation went smoothly.
Len Lawrence 2022-06-08 11:18:11 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-06-09 04:06:54 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-09 20:35:08 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-06-09 22:50:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0224.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.