Skip to content

chore(deps): update dependency pypdf to v3.17.0 [security]#24

Open
renovate[bot] wants to merge 1 commit intodevfrom
renovate/pypi-pypdf-vulnerability
Open

chore(deps): update dependency pypdf to v3.17.0 [security]#24
renovate[bot] wants to merge 1 commit intodevfrom
renovate/pypi-pypdf-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Aug 7, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pypdf (changelog) 3.8.13.17.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-36464

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if __parse_content_stream is executed. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted text from such a PDF.

Example Code and a PDF that causes the issue:

from pypdf import PdfReader

# https://objects.githubusercontent.com/github-production-repository-file-5c1aeb/3119517/11367871?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230627%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230627T201018Z&X-Amz-Expires=300&X-Amz-Signature=d71c8fd9181c4875f0c04d563b6d32f1d4da6e7b2e6be2f14479ce4ecdc9c8b2&X-Amz-SignedHeaders=host&actor_id=1658117&key_id=0&repo_id=3119517&response-content-disposition=attachment%3Bfilename%3DMiFO_LFO_FEIS_NOA_Published.3.pdf&response-content-type=application%2Fpdf
reader = PdfReader("MiFO_LFO_FEIS_NOA_Published.3.pdf")
page = reader.pages[0]
page.extract_text()

The issue was introduced with https://github.com/py-pdf/pypdf/pull/969

Patches

The issue was fixed with https://github.com/py-pdf/pypdf/pull/1828

Workarounds

It is recommended to upgrade to pypdf>=3.9.0. PyPDF2 users should migrate to pypdf.

If you cannot update your version of pypdf, you should modify pypdf/generic/_data_structures.py:

OLD: while peek not in (b"\r", b"\n"):
NEW: while peek not in (b"\r", b"\n", b""):

CVE-2023-46250

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.
This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations.

Patches

The issue was fixed with #​2264

Workarounds

If you cannot update your version of pypdf, you should modify pypdf/generic/_data_structures.py just like #​2264 did.

Release Notes

py-pdf/pypdf (pypdf)

v3.17.0

Compare Source

Bug Fixes (BUG)
  • Mediabox expansion size when applying non-right angle rotation (#​2282)
Robustness (ROB)
  • MissingWidth is IndirectObject (#​2288)
  • Initialize states array with an empty value (#​2280)

Full Changelog

v3.16.4

Compare Source

Security (SEC)
  • Infinite recursion when using PdfWriter(clone_from=reader) (#​2264)
New Features (ENH)
  • Add parameter to select images to be removed (#​2214)
Bug Fixes (BUG)
  • Correctly handle image mode 1 with FlateDecode (#​2249)
  • Error when filling a value with parentheses #​2268 (#​2269)
  • Handle empty root outline (#​2239)

Full Changelog

v3.16.3

Compare Source

Bug Fixes (BUG)
  • Avoid exceeding recursion depth when retrieving image mode (#​2251)

Full Changelog

v3.16.2

Compare Source

Bug Fixes (BUG)
  • Invalid cm/tm in visitor functions (#​2206)
  • Encrypt / decrypt Stream object dictionaries (#​2228)
  • Support nested color spaces for the /DeviceN color space (#​2241)
  • Images property fails if NullObject in list (#​2215)
Developer Experience (DEV)
  • Unify mypy options and warn redundant workarounds (#​2223)

Full Changelog

v3.16.1

Compare Source

Bug Fixes (BUG)
  • PDF size increases because of too high float writing precision (#​2213)
  • Fix test_watermarking_reportlab_rendering() (#​2203)

Full Changelog

v3.16.0

Compare Source

⚠️ The 'rename PdfWriter.create_viewer_preference to
PdfWriter.create_viewer_preferences (#​2190)' could be a breaking change for you,
if you use it. As it was only introduced last week I'm confident enough that
nobody will be affected though. Hence only the patch update.

Bug Fixes (BUG)
  • Missing new line in extract_text with cm operations (#​2142)
  • _get_fonts not processing properly CIDFonts and annotations (#​2194)
Maintenance (MAINT)
  • Rename PdfWriter.create_viewer_preference to PdfWriter.create_viewer_preferences (#​2190)

Full Changelog

v3.15.5

Compare Source

Security (SEC)
  • Infinite recursion caused by IndirectObject clone (#​2156)
New Features (ENH)
  • Ease access to ViewerPreferences (#​2144)
Bug Fixes (BUG)
  • Catch the case where w[0] is an IndirectObject instead of an int (#​2154)
  • Cope with indirect objects in filters and remove deprecated code (#​2177)
  • Accept tabs in cmaps (#​2174) / cope with extra space (#​2151)
  • Merge pages without resources (#​2150)
  • getcontents() shall return None if contents is NullObject (#​2161)
  • Fix conversion from 1 to LA (#​2175)
Robustness (ROB)
  • Accept XYZ with no arguments (#​2178)

Full Changelog

v3.15.4

Compare Source

Bug Fixes (BUG)
  • Cope with missing /I in articles (#​2134)
  • Fix image look-up table in EncodedStreamObject (#​2128)
  • remove_images not operating in sub level forms (#​2133)
Robustness (ROB)

Full Changelog

v3.15.3

Compare Source

Performance Improvements (PI)
  • Making pypdf as fast as pdfrw (#​2086)
Maintenance (MAINT)
  • Relax typing_extensions version (#​2104)

Full Changelog

v3.15.2

Compare Source

Bug Fixes (BUG)
  • Check version of crypt provider (#​2115)
  • TypeError: can't concat str to bytes (#​2114)
  • Require flit_core >= 3.9 (#​2091)

Full Changelog

v3.15.1

Compare Source

Security (SEC)
  • Avoid endless recursion of reading damaged PDF file (#​2093)
Performance Improvements (PI)
Maintenance (MAINT)
  • Make ParseError inherit from PyPdfError (#​2097)

Full Changelog

v3.15.0

Compare Source

Performance Improvements (PI)
  • optimize _decode_png_prediction (#​2068)
Bug Fixes (BUG)
  • Fix incorrect tm_matrix in call to visitor_text (#​2060)
  • Writing German characters into form fields (#​2047)
  • Prevent stall when accessing image in corrupted pdf (#​2081)
  • append() fails when articles do not have /T (#​2080)
Robustness (ROB)
  • Cope with xref not followed by separator (#​2083)

Full Changelog

v3.14.0

Compare Source

New Features (ENH)
  • Add level parameter to compress_content_streams (#​2044)
  • Process /uniHHHH for text_extract (#​2043)
Bug Fixes (BUG)
  • Fix AnnotationBuilder.link (#​2066)
  • JPX image without ColorSpace (#​2062)
  • Added check for field /Info when cloning reader document (#​2055)
  • Fix indexed/CMYK images (#​2039)
Maintenance (MAINT)
  • Cryptography as primary dependency (#​2053)

Full Changelog

v3.13.0

Compare Source

New Features (ENH)
  • Accelerate image list keys generation (#​2014)
  • Use cryptography for encryption/decryption as a fallback for PyCryptodome (#​2000)
  • Extract LaTeX characters (#​2016)
  • ASCIIHexDecode.decode now returns bytes instead of str (#​1994)
Bug Fixes (BUG)
  • Add RunLengthDecode filter (#​2012)
  • Process /Separation ColorSpace (#​2007)
  • Handle single element ColorSpace list (#​2026)
  • Process lookup decoded as TextStringObjects (#​2008)
Robustness (ROB)
  • Cope with garbage collector during cloning (#​1841)
Maintenance (MAINT)

Full Changelog

v3.12.2

Compare Source

New Features (ENH)
  • Add is_open in outlines in PdfReader and PdfWriter (#​1960)
Bug Fixes (BUG)
  • Search /DA in hierarchy fields (#​2002)
  • Cope with different ISO date length (#​1999)
  • Decode Black only/CMYK deviceN images (#​1984)
  • Process CMYK in deflate images (#​1977)
Developer Experience (DEV)

Full Changelog

v3.12.1

Compare Source

Bug Fixes (BUG)
  • Accept calRGB and calGray color_spaces (#​1968)
  • Process 2bits and 4bits images (#​1967)
  • Check for AcroForm and ensure it is not None (#​1965)
Developer Experience (DEV)
  • Automate the release process (#​1970)

Full Changelog

v3.12.0

Compare Source

Bug Fixes (BUG)
  • Prevent updating page contents after merging page (stamping/watermarking) (#​1952)
  • % to be hex encoded in names (#​1958)
  • Inverse color in CMYK images (#​1947)
  • Dates conversion not working with Z00'00' (#​1946)
  • Support UTF-16-LE Strings (#​1884)

Full Changelog

v3.11.1

Compare Source

New Features (ENH)
Bug Fixes (BUG)
  • PdfReader.get_fields() attempts to delete non-existing index "/Off" (#​1933)
  • Remove unused objects when cloning_from (#​1926)
  • Add the TK.SIZE into the trailer (#​1911)
  • add_named_destination() maintains named destination list sort order (#​1930)

Full Changelog

v3.11.0

Compare Source

Bug Fixes (BUG)
  • Cascaded filters in image objects (#​1913)
  • Append pdf with named destination using numbers for pages (#​1858)
  • Ignore "/B" fields only on pages in PdfWriter.append() (#​1875)

Full Changelog

v3.10.0

Compare Source

New Features (ENH)
Bug Fixes (BUG)
  • File expansion when updating with Page Contents (#​1906)
  • Missing Alternate in indexed/ICCbased colorspaces (#​1896)

Full Changelog

v3.9.1

Compare Source

New Features (ENH)
  • Extraction of inline images (#​1850)
  • Add capability to replace image (#​1849)
  • Extend images interface by returning an ImageFile(File) class (#​1848)
  • Add set_data to EncodedStreamObject (#​1854)
Bug Fixes (BUG)
  • Fix RGB FlateEncode Images(PNG) and transparency (#​1834)
  • Generate static appearance for fields (#​1864)

Full Changelog

v3.9.0

Compare Source

Deprecations (DEP)
Bug Fixes (BUG)
Robustness (ROB)
  • Handle missing /Type entry in Page tree (#​1859)

Full Changelog

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cr-gpt
Copy link

cr-gpt bot commented Aug 7, 2024

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@renovate renovate bot force-pushed the renovate/pypi-pypdf-vulnerability branch from 5d2d989 to 5b4633c Compare October 29, 2024 02:45
@cr-gpt
Copy link

cr-gpt bot commented Oct 29, 2024

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants