Bugzilla – Bug 1212797
VUL-0: CVE-2023-36464: python-PyPDF2: Possible Infinite Loop when a comment isn't followed by a character
Last modified: 2023-06-29 08:22:24 UTC
CVE-2023-36464 pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line `while peek not in (b"\r", b"\n")` in `pypdf/generic/_data_structures.py` to `while peek not in (b"\r", b"\n", b"")`. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36464 https://bugzilla.redhat.com/show_bug.cgi?id=2218075 https://www.cve.org/CVERecord?id=CVE-2023-36464 http://www.cvedetails.com/cve/CVE-2023-36464/ https://github.com/py-pdf/pypdf/pull/1828 https://github.com/py-pdf/pypdf/pull/969 https://github.com/py-pdf/pypdf/security/advisories/GHSA-4vvm-4w3v-6mr8
sounds more like a bug, but maybe we can get Factory and Backports updated?
(In reply to Robert Frohl from comment #1) > sounds more like a bug, but maybe we can get Factory and Backports updated? Backports I will patch, that will be easy enough, in the meantime PyPDF2/PyPDF3 have once again become pypdf so I may or may not take slightly longer and just fix that in factory.