endesive icon indicating copy to clipboard operation
endesive copied to clipboard

Published 20 hours ago verified publisher icon m32

Potential vulnerability: An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage

Open hucarxiao opened this issue 1 year ago • 3 comments

I would like to bring to your attention a potential vulnerability in the latest version of https://github.com/m32/endesive related to the method on endesive/pdf/PyPDF2/pdf.py which is on function (line 2000): def readNextEndLine(self, stream).The vulnerability bears similartities to the recently disclosed https://github.com/advisories/GHSA-jrm6-h9cq-8gqw in the project https://github.com/py-pdf/pypdf

The source vulnerability information is as follows:

CVE Identifier: https://github.com/advisories/GHSA-jrm6-h9cq-8gqw Security issue or vulnerability information Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36810 Patch: https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373

Vulnerability Description: pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Considering the potential risks it may have, I am willing to cooperate with you to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please comment and discuss here.

hucarxiao avatar Dec 19 '23 08:12 hucarxiao

Thank you for pointing out the correction, I applied it to endesive. I have no idea how to check its operation, do you have any ideas?

m32 avatar Dec 19 '23 13:12 m32

Thank you for your reply. I think you could check the the CVE-Patch as it has a Tests/test_reader.py changes as a UT. Patch :https://github.com/py-pdf/pypdf/commit/c6c56f550bb384e05f0139c796ba1308837d6373 I also think the patch still has potenial of out of memory because change str to list as merely a space-time trade-off rather than a fundamental solution to the issue. Therefore, I believe it may be advisable to apply for a new CVE (Common Vulnerabilities and Exposures) to address this matter at its root. What do you think?

hucarxiao avatar Dec 20 '23 01:12 hucarxiao

The best solution I see is to completely remove the pypdf2 code from endesive. If you want to work on this topic, you are welcome, I will do it myself, but I don't have time for it at the moment :(

m32 avatar Dec 20 '23 13:12 m32