El 16/05/25 a las 21:08, William Desportes escribió: > Hello, > > Thank you for reaching out to me. > Do you have access to the salsa repository? Not yet. Could you please give me push access? > I would like to have the collaboration pushed there. That would be ideal, indeed! > Sure it is best to extract the commit > For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit. Yeah, it is already referenced in https://security-tracker.debian.org/tracker/CVE-2024-22641 > Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl. Good to know. Thanks! > I can do more research when I am back to my workstation. > > But you emailed the right person, I monitor each commit pushed into tcpdf since some years. Great! > > And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. > -- > William Desportes > > Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón" <santiagorr@riseup.net> a écrit : > >Hello William, hello all, > > > >This is just a quick heads-up about my on-going work to prepare a > >security update for tcpdf, and to avoid any double-work. > > > >Among the currently open CVEs [tcpdf], the most complex backport seems > >to be CVE-2024-32489, since among the two referenced commits, the only > >one that is actually part of the released code is a "squash [of] > >multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to > >the fix. > > > >[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf > >[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489 > >[82fc97b] https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262 > > > >Please, if you have any thoughts, questions, comments, ... don't > >hesitate to speak up. > > > >Other than that, there is no PoC publicly available for most of the > >CVEs, and I still need to see how difficult is to test those. > > > >Cheers, > > > > -- Santiago Best, -- S
Attachment:
signature.asc
Description: PGP signature