CVE-2023-46250

Name	CVE-2023-46250
Description	pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/_data_structures.py`.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypdf (PTS)	bookworm	3.4.1-1+deb12u1	fixed
	sid, trixie	4.3.1-1	fixed
pypdf2 (PTS)	jessie	1.23+git20141008-1+deb8u1	fixed
	stretch (security)	1.26.0-2+deb9u1	fixed
	stretch (lts), stretch	1.26.0-2+deb9u2	fixed
	buster (security), buster, buster (lts)	1.26.0-2+deb10u2	fixed
	bullseye	1.26.0-4+deb11u1	fixed
	bookworm	2.12.1-3+deb12u1	fixed
	sid	2.12.1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
pypdf	source	(unstable)	(not affected)
pypdf2	source	(unstable)	(not affected)

Notes

- pypdf <not-affected> (Vulnerable code not yet present)
- pypdf2 <not-affected> (Vulnerable code not yet present)
https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f
https://github.com/py-pdf/pypdf/pull/2264
https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d (3.17.0)