Headline
Ubuntu Security Notice USN-6280-1
Ubuntu Security Notice 6280-1 - It was discovered that PyPDF2 incorrectly handled PDF files with certain markers. If a user or automated system were tricked into processing a specially crafted file, an attacker could possibly use this issue to consume system resources, resulting in a denial of service.
==========================================================================
Ubuntu Security Notice USN-6280-1
August 10, 2023
pypdf2 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
Summary:
PyPDF2 could be made to crash if it opened a specially crafted
file.
Software Description:
- pypdf2: Pure-Python library built as a PDF toolkit (Python 3)
Details:
It was discovered that PyPDF2 incorrectly handled PDF files with certain
markers. If a user or automated system were tricked into processing a
specially crafted file, an attacker could possibly use this issue to
consume system resources, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-pypdf2 1.26.0-4ubuntu0.22.04.2
Ubuntu 20.04 LTS:
python-pypdf2 1.26.0-3ubuntu1.20.04.2
python3-pypdf2 1.26.0-3ubuntu1.20.04.2
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
python-pypdf2 1.26.0-2ubuntu0.1~esm2
python3-pypdf2 1.26.0-2ubuntu0.1~esm2
Ubuntu 16.04 LTS (Available with Ubuntu Pro):
python-pypdf2 1.25.1-1ubuntu0.1~esm2
python3-pypdf2 1.25.1-1ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6280-1
CVE-2023-36810
Package Information:
https://launchpad.net/ubuntu/+source/pypdf2/1.26.0-4ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/pypdf2/1.26.0-3ubuntu1.20.04.2
Related news
### Impact An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. ### Patches https://github.com/py-pdf/pypdf/pull/808 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References * [PyPDF2 PR #808](https://github.com/py-pdf/pypdf/pull/808) * [PyPDF2 Issue #582](https://github.com/py-pdf/pypdf/issues/582)
pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.