CVE-2023-28428: 
Linux Debian vulnerability analysis and mitigation

PDFio is a C library for reading and writing PDF files. In versions 1.1.0 and prior, a denial of service vulnerability (CVE-2023-28428) exists in the pdfio parser. The vulnerability was discovered and disclosed on March 20, 2023, affecting all versions up to and including 1.1.0. When processing crafted PDF files, the application can be forced to run at 100% CPU utilization and never terminate (GitHub Advisory).

The vulnerability exists in the flate stream code of the PDFio library. The issue occurs when processing corrupted PDF files, where the parser can enter an infinite loop consuming CPU resources. This vulnerability is distinct from CVE-2023-24808. The CVSS v3.1 score is 6.2 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) according to GitHub's assessment, while NVD rates it as 3.3 LOW (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) (NVD).

The vulnerability can be exploited to cause a denial of service condition. Web servers or other automated processes that rely on this code to convert PDF submissions into plaintext can be disrupted when an attacker uploads a specially crafted PDF file. The impact affects anyone who uses this library either as a standalone binary or as a library component (GitHub Advisory).

A patch for this vulnerability is available in version 1.1.1, released on March 20, 2023. The fix addresses the potential denial-of-service issue in the flate stream code (GitHub Patch). Users are advised to upgrade to version 1.1.1 or later to mitigate this vulnerability.