Re: tcpdf {old,}stable security update (was: PHP ReDoS question)

[William Desportes <williamdes@wdes.fr>]

Hello,

Thank you for reaching out to me.
Do you have access to the salsa repository?
I would like to have the collaboration pushed there.
Sure it is best to extract the commit
For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.

Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl.

I can do more research when I am back to my workstation.

But you emailed the right person, I monitor each commit pushed into tcpdf since some years.

And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are.
--
William Desportes

Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón" <santiagorr@riseup.net> a écrit :

Hello William, hello all,

This is just a quick heads-up about my on-going work to prepare a
security update for tcpdf, and to avoid any double-work.

Among the currently open CVEs [tcpdf], the most complex backport seems
to be CVE-2024-32489, since among the two referenced commits, the only
one that is actually part of the released code is a "squash [of]
multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to
the fix.

[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf
[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489
[82fc97b] https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262

Please, if you have any thoughts, questions, comments, ... don't
hesitate to speak up.

Other than that, there is no PoC publicly available for most of the
CVEs, and I still need to see how difficult is to test those.

Cheers,

 -- Santiago