Re: tcpdf {old,}stable security update (was: PHP ReDoS question)

To: William Desportes <williamdes@wdes.fr>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Fri, 16 May 2025 17:37:41 -0300
Message-id: <[🔎] aCeiFUTCEzXeSMeU@voleno>
In-reply-to: <[🔎] 754013A9-0588-481F-A9B4-B13C5E270821@wdes.fr>
References: <Z2Uk5SvXEO6wDNOu@localhost> <1838094.VApE3GkFCy@portable-bastien> <[🔎] aCeAQYSgu7gMZqhL@voleno> <[🔎] 754013A9-0588-481F-A9B4-B13C5E270821@wdes.fr>

El 16/05/25 a las 21:08, William Desportes escribió:
> Hello,
> 
> Thank you for reaching out to me.
> Do you have access to the salsa repository?

Not yet. Could you please give me push access?

> I would like to have the collaboration pushed there.

That would be ideal, indeed!

> Sure it is best to extract the commit
> For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.

Yeah, it is already referenced in
https://security-tracker.debian.org/tracker/CVE-2024-22641

> Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl. 

Good to know. Thanks!

> I can do more research when I am back to my workstation. 
> 
> But you emailed the right person, I monitor each commit pushed into tcpdf since some years. 

Great!

> 
> And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. 
> --
> William Desportes
> 
> Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón" <santiagorr@riseup.net> a écrit :
> >Hello William, hello all,
> >
> >This is just a quick heads-up about my on-going work to prepare a
> >security update for tcpdf, and to avoid any double-work.
> >
> >Among the currently open CVEs [tcpdf], the most complex backport seems
> >to be CVE-2024-32489, since among the two referenced commits, the only
> >one that is actually part of the released code is a "squash [of]
> >multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to
> >the fix.
> >
> >[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf
> >[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489
> >[82fc97b] https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262
> >
> >Please, if you have any thoughts, questions, comments, ... don't
> >hesitate to speak up.
> >
> >Other than that, there is no PoC publicly available for most of the
> >CVEs, and I still need to see how difficult is to test those.
> >
> >Cheers,
> >
> > -- Santiago

Best,

 -- S

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

References:
- tcpdf {old,}stable security update (was: PHP ReDoS question)
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>
- Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
  - From: William Desportes <williamdes@wdes.fr>

Prev by Date: Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
Next by Date: Re: Debian (E)LTS report for April 2025
Previous by thread: Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
Next by thread: Re: tcpdf {old,}stable security update (was: PHP ReDoS question)
Index(es):
- Date
- Thread