Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918441 (CVE-2023-36464, CVE-2023-46250) - <dev-python/pypdf-3.17.0: multiple vulnerabilities
Summary: <dev-python/pypdf-3.17.0: multiple vulnerabilities
Alias: CVE-2023-36464, CVE-2023-46250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Depends on: 918456
  Show dependency tree
Reported: 2023-11-25 03:14 UTC by John Helmert III
Modified: 2023-11-25 08:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 03:14:16 UTC
CVE-2023-46250 (

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. The issue was fixed in version 3.17.0. As a workaround, apply the patch manually by modifying `pypdf/generic/`.

CVE-2023-36464 (

pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to upgrade. Users unable to upgrade may modify the line `while peek not in (b"\r", b"\n")` in `pypdf/generic/` to `while peek not in (b"\r", b"\n", b"")`.

CVE-2023-36464 is fixed in 3.9.0, CVE-2023-46250 is fixed in
3.17.0. Please stabilize >=3.17.0.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 06:58:20 UTC
cleanup done.