First published: Fri Jun 30 2023(Updated: )
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF. ### Patches The issue was fixed with https://github.com/py-pdf/pypdf/pull/1331 ### Workarounds If you cannot update your version of `PyPDF2` (preferably to `pypdf>3.1.0` as PyPDF2 is deprecated), you should modify `PyPDF2/generic/_data_structures.py::read_object`. Replace: ```python else: # number object OR indirect reference peek = stream.read(20) stream.seek(-len(peek), 1) # reset to start if IndirectPattern.match(peek) is not None: return IndirectObject.read_from_stream(stream, pdf) else: return NumberObject.read_from_stream(stream) ``` by ```python elif tok in b"0123456789+-.": # number object OR indirect reference peek = stream.read(20) stream.seek(-len(peek), 1) # reset to start if IndirectPattern.match(peek) is not None: return IndirectObject.read_from_stream(stream, pdf) else: return NumberObject.read_from_stream(stream) else: raise PdfReadError( f"Invalid Elementary Object starting with {tok} @{stream.tell()}" ) ``` ### References * [pypdf issue #1329](https://github.com/py-pdf/pypdf/issues/1329) * [pypdf PR #1331](https://github.com/py-pdf/pypdf/pull/1331)
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pypdf Project Pypdf | =2.10.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
This vulnerability can cause an infinite loop in a PDF, which can use 100% of a CPU core.
The affected software can be blocked by a crafted PDF, causing an infinite loop.
PyPDF2 version 2.10.5 is affected by this vulnerability.
Update to PyPDF2 version 2.10.6 to fix this vulnerability.
You can find more information about CVE-2023-36807 on the GitHub security advisory page and the NIST vulnerability detail page.