Bug 32115 - python-pypdf2 new security issue CVE-2023-36810
Summary: python-pypdf2 new security issue CVE-2023-36810
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-07-17 22:07 CEST by David Walser
Modified: 2023-09-11 15:09 CEST (History)
5 users (show)

See Also:
Source RPM: python-pypdf2-1.27.5-1.mga9.src.rpm
Status comment: Fixed upstream in 1.27.9


Description David Walser 2023-07-17 22:07:10 CEST
Debian-LTS has issued an advisory on July 14:

The issue is fixed upstream in 1.27.9:

Mageia 8 is also affected.
David Walser 2023-07-17 22:07:24 CEST

Status comment: (none) => Fixed upstream in 1.27.9
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-19 20:55:43 CEST
This pkg is updated by different packagers, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2023-09-03 19:04:51 CEST
Package updated for cauldron, Mageia 9, and Mageia 8


Patched python-pypdf2 package fixes security vulnerability:

It was discovered that python-pypdf2 contained a vulnerability whereby an attacker can craft a PDF which leads to unexpected long runtime.


Updated packages in core/updates_testing:

from python-pypdf2-1.27.9-1.mga8.src.rpm

(for Mageia 9)

from python-pypdf2-1.27.9-1.mga9.src.rpm

Possible test help https://bugs.mageia.org/show_bug.cgi?id=30511#c5

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
CC: (none) => mhrambo3501

Comment 3 Herman Viaene 2023-09-04 11:07:08 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Followed suggestion above, kraft not chosen because no KDE on this laptop, installed pdf-stapler and followed example as in https://github.com/hellerbarde/stapler
$ stapler sel HLN_MSAS07_18LACM.pdf handleidingVM.pdf test.pdf
no feedback, resulting test.pdf has a correct concatenation of the two documents.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 4 Thomas Andrews 2023-09-10 23:32:19 CEST
MGA9-64 Plasma on an HP Probook 6550b. No installation issues.

Did essentially the same test as comment 3, except that I got my command examples from the pdf-stapler READ.ME file. I was able to concatenat5e two of my own pdf files with no issues. This is OK for MGA9.

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Dave Hodgins 2023-09-11 02:03:07 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-09-11 15:09:37 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.