Headline
Ubuntu Security Notice USN-6176-1
Ubuntu Security Notice 6176-1 - It was discovered that PyPDF2 incorrectly handled certain PDF files. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to consume system resources, resulting in a denial of service.
==========================================================================
Ubuntu Security Notice USN-6176-1
June 19, 2023
pypdf2 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
PyPDF2 could be made to crash if it opened a specially crafted
file.
Software Description:
- pypdf2: Pure-Python library built as a PDF toolkit (Python 3)
Details:
It was discovered that PyPDF2 incorrectly handled certain PDF files. If a
user or automated system were tricked into processing a specially crafted
file, an attacker could possibly use this issue to consume system
resources, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-pypdf2 1.26.0-4ubuntu0.22.04.1
Ubuntu 20.04 LTS:
python-pypdf2 1.26.0-3ubuntu1.20.04.1
python3-pypdf2 1.26.0-3ubuntu1.20.04.1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
python-pypdf2 1.26.0-2ubuntu0.1~esm1
python3-pypdf2 1.26.0-2ubuntu0.1~esm1
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
python-pypdf2 1.25.1-1ubuntu0.1~esm1
python3-pypdf2 1.25.1-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6176-1
CVE-2022-24859
Package Information:
https://launchpad.net/ubuntu/+source/pypdf2/1.26.0-4ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/pypdf2/1.26.0-3ubuntu1.20.04.1
Related news
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.