Bug 32115 - python-pypdf2 new security issue CVE-2023-36810
Summary: python-pypdf2 new security issue CVE-2023-36810
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-07-17 22:07 CEST by David Walser
Modified: 2023-09-11 15:09 CEST (History)
5 users (show)

See Also:
Source RPM: python-pypdf2-1.27.5-1.mga9.src.rpm
CVE:
Status comment: Fixed upstream in 1.27.9

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-07-17 22:07:10 CEST 
Debian-LTS has issued an advisory on July 14:
https://www.debian.org/lts/security/2023/dla-3497

The issue is fixed upstream in 1.27.9:
https://github.com/py-pdf/pypdf/security/advisories/GHSA-jrm6-h9cq-8gqw

Mageia 8 is also affected.
David Walser 2023-07-17 22:07:24 CEST

Status comment: (none) => Fixed upstream in 1.27.9
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-19 20:55:43 CEST 
This pkg is updated by different packagers, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Mike Rambo 2023-09-03 19:04:51 CEST 
Package updated for cauldron, Mageia 9, and Mageia 8


Advisory:
========================

Patched python-pypdf2 package fixes security vulnerability:

It was discovered that python-pypdf2 contained a vulnerability whereby an attacker can craft a PDF which leads to unexpected long runtime.
(CVE-2023-36810).


References:
https://www.debian.org/lts/security/2023/dla-3497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36810
========================

Updated packages in core/updates_testing:
========================
python3-pypdf2-1.27.9-1.mga8.noarch.rpm

from python-pypdf2-1.27.9-1.mga8.src.rpm

(for Mageia 9)
python3-pypdf2-1.27.9-1.mga9.noarch.rpm

from python-pypdf2-1.27.9-1.mga9.src.rpm

Possible test help https://bugs.mageia.org/show_bug.cgi?id=30511#c5

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
CC: (none) => mhrambo3501

Comment 3 Herman Viaene 2023-09-04 11:07:08 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Followed suggestion above, kraft not chosen because no KDE on this laptop, installed pdf-stapler and followed example as in https://github.com/hellerbarde/stapler
$ stapler sel HLN_MSAS07_18LACM.pdf handleidingVM.pdf test.pdf
no feedback, resulting test.pdf has a correct concatenation of the two documents.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 4 Thomas Andrews 2023-09-10 23:32:19 CEST 
MGA9-64 Plasma on an HP Probook 6550b. No installation issues.

Did essentially the same test as comment 3, except that I got my command examples from the pdf-stapler READ.ME file. I was able to concatenat5e two of my own pdf files with no issues. This is OK for MGA9.

Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Dave Hodgins 2023-09-11 02:03:07 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-09-11 15:09:37 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0254.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.