[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?

Control: tag -1 confirmed

Hi,

On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > whether the version in bullseye is still vulnerable, as it appears to be
> > > according to the security tracker:
> [...]
> > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
>  Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> the max impact is an infinite loop in the user's own process.
> 
> > Can you propose a fix for it with cherry-picking the pull request
> > changes for the next bullseye point release?
>  Correct, it needs to go via Bullseye point update. I attached the
> short change which has the original commit as Salvatore noted.

Either of the proposed diffs is fine; please go ahead.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: