1216773 – (CVE-2023-36810) VUL-0: CVE-2023-36810: pypdf: An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime

Bug 1216773 (CVE-2023-36810) - VUL-0: CVE-2023-36810: pypdf: An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime

Summary: VUL-0: CVE-2023-36810: pypdf: An attacker who uses this vulnerability can cra...

Status:	NEW

Alias:	CVE-2023-36810

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Python (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Simon Lees
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/371004/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-01 05:34 UTC by SMASH SMASH
Modified:	2023-11-01 06:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-01 05:34:57 UTC

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and
transforming the pages of PDF files. An attacker who uses this vulnerability can
craft a PDF which leads to unexpected long runtime. This quadratic runtime
blocks the current process and can utilize a single core of the CPU by 100%. It
does not affect memory usage. This issue has been addressed in PR 808 and
versions from 1.27.9 include this fix. Users are advised to upgrade. There are
no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-36810