Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
- To: 1029008@bugs.debian.org
- Cc: László Böszörményi <gcs@debian.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Subject: Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Tue, 6 Feb 2024 17:52:44 +0000
- Message-id: <[🔎] ZcJx7M7-KRm-h2Rt@powdarrmonkey.net>
- Reply-to: Jonathan Wiltshire <jmw@debian.org>, 1029008@bugs.debian.org
- In-reply-to: <ZMA97szVz/LPYla3@powdarrmonkey.net>
- References: <165039585077.769968.9073705332975654509.reportbug@eldamar.lan> <87lem3796j.fsf@fifthhorseman.net> <Y8Tiw94n040ZQoay@eldamar.lan> <165039585077.769968.9073705332975654509.reportbug@eldamar.lan> <CAKjSHr39T9cgh-UhGjbaLPKOan9OO38a-ZwQCgLLb523Nh6DDg@mail.gmail.com> <165039585077.769968.9073705332975654509.reportbug@eldamar.lan> <ZMA97szVz/LPYla3@powdarrmonkey.net> <165039585077.769968.9073705332975654509.reportbug@eldamar.lan>
Control: close -1
Hi,
On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
>
> Hi,
>
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> > Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> >
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> > Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
>
> Either of the proposed diffs is fine; please go ahead.
This package has not been uploaded in time for two consecutive point
releases now, so I am closing the request.
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Reply to: