VU#504749: PyMuPDF path traver... Note

VU#504749: PyMuPDF path traversal and arbitrary file write vulnerabilities

PyMuPDF version 1.26.5 contains a critical path traversal vulnerability. This vulnerability allows arbitrary file writing via the 'embedded_get' function in main.py. The flaw arises from unchecked handling of embedded file metadata within PDF documents. Specifically, this metadata is used directly as the output path for extracted files. When the output path isn't explicitly defined, PyMuPDF uses embedded file metadata. This lack of validation permits attackers to specify arbitrary file paths. Exploitation involves crafting a malicious PDF with a path leading outside the intended directory. Successful exploitation enables attackers to write files to any location accessible by the user. This write access could potentially lead to privilege escalation or system compromise. The vulnerability is addressed in PyMuPDF version 1.26.7. Users are strongly advised to update to mitigate the risk. The vulnerability was reported by UKO, and the document was written by Michael Bragg.