Bug#1029008: Bug#1009879: security update needed for pypdf2 in bullseye (CVE-2022-24859)?

[Jonathan Wiltshire <jmw@debian.org>]

Control: close -1

Hi,

On Tue, Jul 25, 2023 at 10:26:06PM +0100, Jonathan Wiltshire wrote:
> Control: tag -1 confirmed
> 
> Hi,
> 
> On Mon, Jan 16, 2023 at 07:41:21AM +0100, László Böszörményi wrote:
> > On Mon, Jan 16, 2023 at 6:38 AM Salvatore Bonaccorso <carnil@debian.org> wrote:
> > > On Sun, Jan 15, 2023 at 04:57:24PM -0500, Daniel Kahn Gillmor wrote:
> > > > I was looking into CVE-2022-24859 and pypdf2, and trying to figure out
> > > > whether the version in bullseye is still vulnerable, as it appears to be
> > > > according to the security tracker:
> > [...]
> > > It is still unfixed in bullseye TTBOMK, but would not warrant a DSA.
> >  Indeed, it's not yet fixed for Bullseye and doesn't warrant a DSA as
> > the max impact is an infinite loop in the user's own process.
> > 
> > > Can you propose a fix for it with cherry-picking the pull request
> > > changes for the next bullseye point release?
> >  Correct, it needs to go via Bullseye point update. I attached the
> > short change which has the original commit as Salvatore noted.
> 
> Either of the proposed diffs is fine; please go ahead.

This package has not been uploaded in time for two consecutive point
releases now, so I am closing the request.

Thanks,
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1