Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36810: Quadratic runtime with malformed PDF missing xref marker · Issue #582 · py-pdf/pypdf

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#google#pdf

Comments

Google-Autofuzz changed the title Inifinite loop with malformed PDF Infinite loop with malformed PDF

Nov 13, 2020

MartinThoma added is-bug

From a users perspective, this is a bug - a violation of the expected behavior with a compliant PDF

is-robustness-issue

From a users perspective, this is about robustness

labels

Apr 7, 2022

MartinThoma changed the title Infinite loop with malformed PDF Very long execution time with malformed PDF

Jun 30, 2023

MartinThoma changed the title Very long execution time with malformed PDF Quadratic runtime with malformed PDF

Jun 30, 2023

MartinThoma changed the title Quadratic runtime with malformed PDF Quadratic runtime with malformed PDF missing xref marker

Jun 30, 2023

Related news

Ubuntu Security Notice USN-6280-1

Ubuntu Security Notice 6280-1 - It was discovered that PyPDF2 incorrectly handled PDF files with certain markers. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to consume system resources, resulting in a denial of service.

GHSA-jrm6-h9cq-8gqw: PyPDF2 quadratic runtime with malformed PDF missing xref marker

### Impact An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. ### Patches https://github.com/py-pdf/pypdf/pull/808 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References * [PyPDF2 PR #808](https://github.com/py-pdf/pypdf/pull/808) * [PyPDF2 Issue #582](https://github.com/py-pdf/pypdf/issues/582)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE