Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
- To: László Böszörményi <gcs@debian.org>, 1029008@bugs.debian.org
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Subject: Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Tue, 25 Jul 2023 22:26:06 +0100
- Message-id: <ZMA97szVz/LPYla3@powdarrmonkey.net>
- Reply-to: Jonathan Wiltshire <jmw@debian.org>, 1029008@bugs.debian.org
- In-reply-to: <CAKjSHr39T9cgh-UhGjbaLPKOan9OO38a-ZwQCgLLb523Nh6DDg@mail.gmail.com>
- References: <165039585077.769968.9073705332975654509.reportbug@eldamar.lan> <87lem3796j.fsf@fifthhorseman.net> <Y8Tiw94n040ZQoay@eldamar.lan> <165039585077.769968.9073705332975654509.reportbug@eldamar.lan> <CAKjSHr39T9cgh-UhGjbaLPKOan9OO38a-ZwQCgLLb523Nh6DDg@mail.gmail.com> <165039585077.769968.9073705332975654509.reportbug@eldamar.lan>
Control: tag -1 confirmed
Hi,
On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > whether the version in bullseye is still vulnerable, as it appears to be
> > > according to the security tracker:
> [...]
> > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> the max impact is an infinite loop in the user's own process.
>
> > Can you propose a fix for it with cherry-picking the pull request
> > changes for the next bullseye point release?
> Correct, it needs to go via Bullseye point update. I attached the
> short change which has the original commit as Salvatore noted.
Either of the proposed diffs is fine; please go ahead.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: