PHP ReDoS question

To: debian-lts@lists.debian.org
Subject: PHP ReDoS question
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 20 Dec 2024 10:03:49 +0200
Message-id: <[🔎] Z2Uk5SvXEO6wDNOu@localhost>

Hi,

could someone with more knowledge about PHP look at the following:

https://security-tracker.debian.org/tracker/CVE-2024-22640
https://github.com/zunak/CVE-2024-22640
https://security-tracker.debian.org/tracker/CVE-2024-22641
https://github.com/zunak/CVE-2024-22641

Changing the PoCs to
  require_once('/usr/share/php/tcpdf/tcpdf.php');
I cannot reproduce the issue in bookworm or jessie,
it just seems to work fine already without the fix.

Am I doing something stupid here, or is there some reason why we might 
not be affected by these CVEs?

Thanks
Adrian

Reply to:

Follow-Ups:
- Re: PHP ReDoS question
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Re: Bug#1089033: xen: Please package xen version 4.19
Next by Date: Re: Fixing src:ucf environmnent variable insecurity in [old]stable
Previous by thread: Re: Fixing src:ucf environmnent variable insecurity in [old]stable
Next by thread: Re: PHP ReDoS question
Index(es):
- Date
- Thread