Users unable to upgrade should modify `PyPDF2/generic/_data_structures.py::read_object` to an an error throwing case. This issue was fixed with which has been included in release 2.10.6. Versions prior to 2.10.5 throw an error, but do not hang forever. That is, for example, the case if the user extracted metadata from such a malformed PDF. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. In version 2.10.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. Pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. There are no known workarounds for this vulnerability. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime.
0 Comments
Leave a Reply. |