[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcpdf {old,}stable security update (was: PHP ReDoS question)



El 16/05/25 a las 21:08, William Desportes escribió:
> Hello,
> 
> Thank you for reaching out to me.
> Do you have access to the salsa repository?

Not yet. Could you please give me push access?

> I would like to have the collaboration pushed there.

That would be ideal, indeed!

> Sure it is best to extract the commit
> For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.

Yeah, it is already referenced in
https://security-tracker.debian.org/tracker/CVE-2024-22641

> Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl. 

Good to know. Thanks!

> I can do more research when I am back to my workstation. 
> 
> But you emailed the right person, I monitor each commit pushed into tcpdf since some years. 

Great!

> 
> And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. 
> --
> William Desportes
> 
> Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón" <santiagorr@riseup.net> a écrit :
> >Hello William, hello all,
> >
> >This is just a quick heads-up about my on-going work to prepare a
> >security update for tcpdf, and to avoid any double-work.
> >
> >Among the currently open CVEs [tcpdf], the most complex backport seems
> >to be CVE-2024-32489, since among the two referenced commits, the only
> >one that is actually part of the released code is a "squash [of]
> >multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to
> >the fix.
> >
> >[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf
> >[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489
> >[82fc97b] https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262
> >
> >Please, if you have any thoughts, questions, comments, ... don't
> >hesitate to speak up.
> >
> >Other than that, there is no PoC publicly available for most of the
> >CVEs, and I still need to see how difficult is to test those.
> >
> >Cheers,
> >
> > -- Santiago

Best,

 -- S

Attachment: signature.asc
Description: PGP signature


Reply to: