tcpdf {old,}stable security update (was: PHP ReDoS question)

To: William Desportes <williamdes@wdes.fr>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: tcpdf {old,}stable security update (was: PHP ReDoS question)
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Fri, 16 May 2025 15:13:21 -0300
Message-id: <[🔎] aCeAQYSgu7gMZqhL@voleno>
In-reply-to: <1838094.VApE3GkFCy@portable-bastien>
References: <Z2Uk5SvXEO6wDNOu@localhost> <1838094.VApE3GkFCy@portable-bastien>

Hello William, hello all,

This is just a quick heads-up about my on-going work to prepare a
security update for tcpdf, and to avoid any double-work.

Among the currently open CVEs [tcpdf], the most complex backport seems
to be CVE-2024-32489, since among the two referenced commits, the only
one that is actually part of the released code is a "squash [of]
multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to
the fix.

[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf
[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489
[82fc97b] https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262

Please, if you have any thoughts, questions, comments, ... don't
hesitate to speak up.

Other than that, there is no PoC publicly available for most of the
CVEs, and I still need to see how difficult is to test those.

Cheers,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
  - From: William Desportes <williamdes@wdes.fr>

Prev by Date: Re: Debian (E)LTS report for April 2025
Next by Date: Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Previous by thread: Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Next by thread: Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
Index(es):
- Date
- Thread