Bug 1212797 (CVE-2023-36464)

Summary: VUL-0: CVE-2023-36464: python-PyPDF2: Possible Infinite Loop when a comment isn't followed by a character
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Simon Lees <simonf.lees>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370696/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-28 07:03:49 UTC 
CVE-2023-36464

pypdf is an open source, pure-python PDF library. In affected versions an
attacker may craft a PDF which leads to an infinite loop if
`__parse_content_stream` is executed. That is, for example, the case if the user
extracted text from such a PDF. This issue was introduced in pull request #969
and resolved in pull request #1828. Users are advised to upgrade. Users unable
to upgrade may modify the line `while peek not in (b"\r", b"\n")` in
`pypdf/generic/_data_structures.py` to `while peek not in (b"\r", b"\n", b"")`.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36464
https://bugzilla.redhat.com/show_bug.cgi?id=2218075
https://www.cve.org/CVERecord?id=CVE-2023-36464
http://www.cvedetails.com/cve/CVE-2023-36464/
https://github.com/py-pdf/pypdf/pull/1828
https://github.com/py-pdf/pypdf/pull/969
https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8
Comment 1 Robert Frohl 2023-06-28 07:12:51 UTC 
sounds more like a bug, but maybe we can get Factory and Backports updated?
Comment 2 Simon Lees 2023-06-29 08:22:24 UTC 
(In reply to Robert Frohl from comment #1)
> sounds more like a bug, but maybe we can get Factory and Backports updated?

Backports I will patch, that will be easy enough, in the meantime PyPDF2/PyPDF3 have once again become pypdf so I may or may not take slightly longer and just fix that in factory.