GHSA-wjcc-cq79-p63f: Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-46250

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

Moderate severity GitHub Reviewed Published Oct 29, 2023 in py-pdf/pypdf • Updated Oct 31, 2023

Affected versions

>= 3.7.0, < 3.17.0

Description

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.
This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.

Patches

The issue was fixed with #2264

Workarounds

If you cannot update your version of pypdf, you should modify pypdf/generic/_data_structures.py just like #2264 did.

References

• GHSA-wjcc-cq79-p63f
• https://nvd.nist.gov/vuln/detail/CVE-2023-46250
• py-pdf/pypdf#2264
• py-pdf/pypdf@9b23ac3

Published to the GitHub Advisory Database

Oct 31, 2023

Last updated

Oct 31, 2023