GHSA-hm9v-vj3r-r55m

Suggest an improvement
Source
https://github.com/advisories/GHSA-hm9v-vj3r-r55m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-hm9v-vj3r-r55m/GHSA-hm9v-vj3r-r55m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hm9v-vj3r-r55m
Aliases
Published
2023-06-30T22:19:39Z
Modified
2023-11-08T04:12:58.698600Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects
Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF.

Patches

The issue was fixed with https://github.com/py-pdf/pypdf/pull/1331

Workarounds

If you cannot update your version of PyPDF2 (preferably to pypdf>3.1.0 as PyPDF2 is deprecated), you should modify PyPDF2/generic/_data_structures.py::read_object.

Replace:

    else:
        # number object OR indirect reference
        peek = stream.read(20)
        stream.seek(-len(peek), 1)  # reset to start
        if IndirectPattern.match(peek) is not None:
            return IndirectObject.read_from_stream(stream, pdf)
        else:
            return NumberObject.read_from_stream(stream)

by

    elif tok in b"0123456789+-.":
        # number object OR indirect reference
        peek = stream.read(20)
        stream.seek(-len(peek), 1)  # reset to start
        if IndirectPattern.match(peek) is not None:
            return IndirectObject.read_from_stream(stream, pdf)
        else:
            return NumberObject.read_from_stream(stream)
    else:
        raise PdfReadError(
            f"Invalid Elementary Object starting with {tok} @{stream.tell()}"
        )

References

Database specific
{
    "nvd_published_at": "2023-06-30T19:15:09Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T22:19:39Z"
}
References

Affected packages

PyPI / pypdf2

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.10.5
Fixed
2.10.6

Affected versions

2.*

2.10.5

Ecosystem specific

{
    "affected_functions": [
        "PyPDF2._reader.PdfReader.get_object",
        "PyPDF2.generic._base.NameObject.read_from_stream",
        "PyPDF2.generic._data_structures.DictionaryObject.read_from_stream",
        "PyPDF2.generic._data_structures.read_object"
    ]
}