pypdf - Debian Package Tracker

general

source: pypdf (main)
version: 5.4.0-1
maintainer: Debian Python Team (DMD)
uploaders: Daniel Kahn Gillmor [DMD] – Scott Kitterman [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 3.4.1-1+deb12u1
stable: 5.4.0-1
testing: 5.4.0-1
unstable: 5.4.0-1

versioned links

3.4.1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.4.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-pypdf

action needed

A new upstream version is available: 6.1.3 high

A new upstream version 6.1.3 is available, you should consider packaging it.

Created: 2025-05-12 Last update: 2025-11-08 05:00

3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:

CVE-2025-55197: pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

Created: 2025-08-15 Last update: 2025-10-25 18:32

3 security issues in forky high

There are 3 open security issues in forky.

3 important issues:

CVE-2025-55197: pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

Created: 2025-08-15 Last update: 2025-10-25 18:32

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-15 Last update: 2025-10-25 18:32

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-08-15 Last update: 2025-10-25 18:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-04-02 23:56

news

[rss feed]

[2025-04-10] pypdf 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted pypdf 5.4.0-1 (source) into unstable (Santiago Ruano Rincón)
[2024-07-24] pypdf 4.3.1-1 MIGRATED to testing (Debian testing watch)
[2024-07-22] Accepted pypdf 4.3.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-04-11] pypdf 4.2.0-1 MIGRATED to testing (Debian testing watch)
[2024-04-09] Accepted pypdf 4.2.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-03-18] pypdf 4.1.0-1 MIGRATED to testing (Debian testing watch)
[2024-03-08] Accepted pypdf 4.1.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-26] Accepted pypdf 3.4.1-1~bpo11+1 (source all) into bullseye-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2024-02-23] pypdf 4.0.2-1 MIGRATED to testing (Debian testing watch)
[2024-02-21] Accepted pypdf 4.0.2-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-06] pypdf 4.0.1-1 MIGRATED to testing (Debian testing watch)
[2024-02-01] Accepted pypdf 4.0.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-27] pypdf 4.0.0-1 MIGRATED to testing (Debian testing watch)
[2024-01-23] Accepted pypdf 4.0.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-20] Accepted pypdf 3.4.1-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Donald Scott Kitterman)
[2024-01-19] Accepted pypdf 4.0.0-1~exp1 (source) into experimental (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-17] pypdf 3.17.4-1 MIGRATED to testing (Debian testing watch)
[2024-01-14] Accepted pypdf 3.17.4-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2023-02-25] pypdf 3.4.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-14] Accepted pypdf 3.4.1-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-29] pypdf 3.3.0-3 MIGRATED to testing (Debian testing watch)
[2023-01-26] Accepted pypdf 3.3.0-3 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-26] Accepted pypdf 3.3.0-2 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-23] Accepted pypdf 3.3.0-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-20] Accepted pypdf 3.2.1-1 (source all) into unstable (Debian FTP Masters) (signed by: dkg@debian.org)

bugs [bug history graph]

all: 3
RC: 0
I&N: 3
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.4.0-1