CVE-2023-36810: 
Python vulnerability analysis and mitigation

CVE-2023-36810 affects pypdf, a pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files. The vulnerability was discovered in versions up to 1.27.8 and was fixed in version 1.27.9. The issue involves unexpected long runtime when processing specially crafted PDF files (GitHub Advisory, NVD).

The vulnerability stems from a quadratic runtime complexity issue in the PDF reader code when trying to find the xref marker. The code reads the file backwards and builds a line by concatenating strings in a loop, leading to O(n²) performance. For example, processing a file with 1MB of zeros at the end takes 45.54 seconds, while 2MB takes 357.04 seconds. The CVSS v3.1 base score is 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub PR, NVD).

When exploited, this vulnerability allows an attacker to craft a PDF that leads to unexpected long runtime, blocking the current process and utilizing a single core of the CPU at 100%. The issue affects processing performance but does not impact memory usage (GitHub Advisory).

The vulnerability has been fixed in pypdf version 1.27.9 and later. Users are advised to upgrade to the patched version. The fix changes the relevant section of the code to achieve linear runtime O(n), reducing processing time to less than a second for affected cases. There are no known workarounds for this vulnerability other than upgrading (GitHub PR, GitHub Advisory).

The fix was well-received by the community, with the maintainers highlighting it as a significant performance improvement in the release notes. The contribution was praised for including regression tests and addressing a critical performance issue (GitHub PR).