Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential vulnerability: An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage #157

Open
hucarxiao opened this issue Dec 19, 2023 · 3 comments
Open

Potential vulnerability: An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage #157

hucarxiao opened this issue Dec 19, 2023 · 3 comments

Comments

@hucarxiao
Copy link

hucarxiao commented Dec 19, 2023
edited

I would like to bring to your attention a potential vulnerability in the latest version of https://github.com/m32/endesive related to the method on endesive/pdf/PyPDF2/pdf.py which is on function (line 2000): def readNextEndLine(self, stream).The vulnerability bears similartities to the recently disclosed GHSA-jrm6-h9cq-8gqw in the project https://github.com/py-pdf/pypdf

The source vulnerability information is as follows:

CVE Identifier: GHSA-jrm6-h9cq-8gqw
Security issue or vulnerability information
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36810
Patch: py-pdf/pypdf@c6c56f5

Vulnerability Description:
pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please comment and discuss here.
@m32
Copy link
Owner

m32 commented Dec 19, 2023

Thank you for pointing out the correction, I applied it to endesive.
I have no idea how to check its operation, do you have any ideas?

m32 pushed a commit that referenced this issue Dec 19, 2023
#157 - vulnerability in used pypdf
6a63b13
@hucarxiao
Copy link
Author

Thank you for your reply. I think you could check the the CVE-Patch as it has a Tests/test_reader.py changes as a UT.
Patch :py-pdf/pypdf@c6c56f5
I also think the patch still has potenial of out of memory because change str to list as merely a space-time trade-off rather than a fundamental solution to the issue. Therefore, I believe it may be advisable to apply for a new CVE (Common Vulnerabilities and Exposures) to address this matter at its root. What do you think?

@m32
Copy link
Owner

m32 commented Dec 20, 2023

The best solution I see is to completely remove the pypdf2 code from endesive. If you want to work on this topic, you are welcome, I will do it myself, but I don't have time for it at the moment :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m32 @hucarxiao