Bonjour William, hello security team, El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió: > El 16/05/25 a las 21:08, William Desportes escribió: > > Hello, > > > > Thank you for reaching out to me. > > Do you have access to the salsa repository? [...] This is a quick update about fixing the open issues for tcpdf. I've pushed the current WIP update at: https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm > > Sure it is best to extract the commit [that fixes CVE-2024-32489] Done. > > For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit. I've been unable to reproduce the POCs for CVE-2024-22640 and CVE-2024-22641. Not sure how these can be exploited on a regular system. >> Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl. Did like you suggested. > > And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. Other than those two ReDoS issues already mentioned (BTW CVE-2024-56520 seems to be ReDoS-related too), so far, I haven't been able to exploit any of the other open issues either. I could give a better try to some of them (e.g CVE-2024-51058), but I fear that I will be difficult to fully test all of those CVEs and their fixes . Help is welcome on that side. Other than that, I have verified that autopkgtest for both, the current version [0] in bookworm and the proposed update work correctly [1]. That includes locally running the different example files (based debian/tests/test.sh) and checked the results. This includes example_049.php, that was modified with the patch for CVE-2024-32489. [0] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7616586 [1] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7601105 Debdiff attached for convenience. Cheers, -- Santiago
diff -Nru tcpdf-6.6.2+dfsg1/debian/changelog tcpdf-6.6.2+dfsg1/debian/changelog
--- tcpdf-6.6.2+dfsg1/debian/changelog 2022-12-23 17:14:51.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/changelog 2025-05-19 23:47:41.000000000 -0300
@@ -1,3 +1,26 @@
+tcpdf (6.6.2+dfsg1-1+deb12u1) bookworm-security; urgency=medium
+
+ * Exclude quilt managed directory .pc/ from phpab in debian/rules
+ * Explicitly specify RELEASE: bookworm in d/gitlab-ci.yml
+ * Fix CVE-2024-22640: ReDoS (Regular Expression Denial of Service) if
+ parsing an untrusted HTML page with a crafted color
+ * Fix CVE-2024-22641: ReDoS (Regular Expression Denial of Service) if
+ parsing an untrusted SVG file (Closes: #1072528)
+ * Fix CVE-2024-32489: tcpdf mishandles calls that use HTML syntax
+ * Fix CVE-2024-51058: Local File Inclusion (LFI) vulnerability through <img>
+ src tag (Closes: #1088332)
+ * Fix CVE-2024-56519: setSVGStyles does not sanitize the SVG font-family
+ attribute (Closes: #1091685)
+ * Fix CVE-2024-56520: tcpdf, throught its use of tc-lib-pdf-font, mishandles
+ fonts like FontBBox for Type 1 and misparses TrueType fonts
+ (Closes: #1091686)
+ * Fix CVE-2024-56522: unserializeTCPDFtag doesn't make use of constant-time
+ function to compare TCPDF tag hashes (Closes: #1091688)
+ * Fix CVE-2024-56527: the Error function lacks an htmlspecialchars call for
+ the error message (Closes: #1091689)
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Mon, 19 May 2025 23:47:41 -0300
+
tcpdf (6.6.2+dfsg1-1) unstable; urgency=medium
* New upstream version 6.6.2+dfsg1
diff -Nru tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml
--- tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml 2022-12-23 17:14:51.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml 2025-05-15 22:49:47.000000000 -0300
@@ -4,3 +4,4 @@
variables:
SALSA_CI_REPROTEST_ARGS: '--print-sudoers --vary=user_group.available+=root:root --vary=user_group.available+=www-data:www-data --vary=domain_host.use_sudo=1'
+ RELEASE: bookworm
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch 2025-05-15 22:49:47.000000000 -0300
@@ -0,0 +1,29 @@
+From 05f3a28f4a7905019469e040cf77e53d6aa7f679 Mon Sep 17 00:00:00 2001
+From: Josh <josh.gaby@gmail.com>
+Date: Sun, 21 Apr 2024 05:03:05 +1200
+Subject: [PATCH] fix: CSV-2024-22640 (#712)
+
+Add possessive quantifiers to the regex to prevent catastrophic backtracking.
+
+Bug: https://github.com/zunak/CVE-2024-22640
+Origin: upstream, https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679
+---
+ include/tcpdf_colors.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/tcpdf_colors.php b/include/tcpdf_colors.php
+index 7f337f3..5a51594 100644
+--- a/include/tcpdf_colors.php
++++ b/include/tcpdf_colors.php
+@@ -275,7 +275,7 @@ class TCPDF_COLORS {
+ $color = strtolower($color);
+ // check for javascript color array syntax
+ if (strpos($color, '[') !== false) {
+- if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\]]/', $color, $m) > 0) {
++ if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\]]/', $color, $m) > 0) {
+ $returncolor = array();
+ switch ($m[1]) {
+ case 'cmyk': {
+--
+2.39.5
+
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch 2025-05-15 22:50:03.000000000 -0300
@@ -0,0 +1,25 @@
+From 17fe9597fb31d3d08c0f02a03338928ab8bcf0b5 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Sat, 26 Oct 2024 13:08:26 +0100
+Subject: [PATCH] Update regexp to fix CVE-2024-22641
+
+Bug-Debian: https://bugs.debian.org/1072528
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5
+
+---
+ tcpdf.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -23284,7 +23284,7 @@ Putting 1 is equivalent to putting 0 and
+ $text_color = TCPDF_COLORS::convertHTMLColorToDec($svgstyle['text-color'], $this->spot_colors);
+ $this->setTextColorArray($text_color);
+ // clip
+- if (preg_match('/rect\(([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)\)/si', $svgstyle['clip'], $regs)) {
++ if (preg_match('/rect\(([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)\)/si', $svgstyle['clip'], $regs)) {
+ $top = (isset($regs[1])?$this->getHTMLUnitToUnits($regs[1], 0, $this->svgunit, false):0);
+ $right = (isset($regs[2])?$this->getHTMLUnitToUnits($regs[2], 0, $this->svgunit, false):0);
+ $bottom = (isset($regs[3])?$this->getHTMLUnitToUnits($regs[3], 0, $this->svgunit, false):0);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch 2025-05-18 23:25:29.000000000 -0300
@@ -0,0 +1,255 @@
+Description: Fix for CVE-2024-32489: mishandled calls that use HTML
+ This patch is extracted from upstream commit 82fc97b "Squash multiple fixes",
+ by nicolaasuni <info@tecnick.com>, taking only changes relevant to
+ CVE-2024-32489.
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32489
+Author: Santiago Ruano Rincón <santiagorr@riseup.net>
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -836,6 +836,13 @@ class TCPDF {
+ */
+ protected $file_id;
+
++ /**
++ * Internal secret used to encrypt data.
++ * @protected
++ * @since 6.7.4 (2024-03-21)
++ */
++ protected $hash_key;
++
+ // --- bookmark ---
+
+ /**
+@@ -1878,6 +1885,7 @@ class TCPDF {
+ // set file ID for trailer
+ $serformat = (is_array($format) ? json_encode($format) : $format);
+ $this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding));
++ $this->hash_key = hash_hmac('sha256', TCPDF_STATIC::getRandomSeed($this->file_id), TCPDF_STATIC::getRandomSeed('TCPDF'), false);
+ $this->font_obj_ids = array();
+ $this->page_obj_id = array();
+ $this->form_obj_id = array();
+@@ -17194,42 +17202,60 @@ class TCPDF {
+ }
+
+ /**
+- * Return an hash code used to ensure that the serialized data has been generated by this TCPDF instance.
+- * @param string $data serialized data
+- * @return string
+- * @public static
++ * Calculates the hash value of the given data.
++ *
++ * @param string $data The data to be hashed.
++ * @return string The hashed value of the data.
+ */
+- protected function getHashForTCPDFtagParams($data) {
+- return md5(strlen($data).$this->file_id.$data);
++ protected function hashTCPDFtag($data) {
++ return hash_hmac('sha256', $data, $this->hash_key, false);
+ }
+
+ /**
+- * Serialize an array of parameters to be used with TCPDF tag in HTML code.
+- * @param array $data parameters array
+- * @return string containing serialized data
++ * Serialize data to be used with TCPDF tag in HTML code.
++ * @param string $method TCPDF method name
++ * @param array $params Method parameters
++ * @return string Serialized data
+ * @public static
+ */
+- public function serializeTCPDFtagParameters($data) {
++ public function serializeTCPDFtag($method, $params=array()) {
++ $data = array('m' => $method, 'p' => $params);
+ $encoded = urlencode(json_encode($data));
+- return $this->getHashForTCPDFtagParams($encoded).$encoded;
++ $hash = $this->hashTCPDFtag($encoded);
++ return strlen($hash).'+'.$hash.'+'.$encoded;
+ }
+
+ /**
+- * Unserialize parameters to be used with TCPDF tag in HTML code.
++ * Unserialize data to be used with TCPDF tag in HTML code.
+ * @param string $data serialized data
+ * @return array containing unserialized data
+ * @protected static
+ */
+- protected function unserializeTCPDFtagParameters($data) {
+- $hash = substr($data, 0, 32);
+- $encoded = substr($data, 32);
+- if ($hash != $this->getHashForTCPDFtagParams($encoded)) {
++ protected function unserializeTCPDFtag($data) {
++ $hpos = strpos($data, '+');
++ $hlen = intval(substr($data, 0, $hpos));
++ $hash = substr($data, $hpos + 1, $hlen);
++ $encoded = substr($data, $hpos + 2 + $hlen);
++ if ($hash != $this->hashTCPDFtag($encoded)) {
+ $this->Error('Invalid parameters');
+ }
+ return json_decode(urldecode($encoded), true);
+ }
+
+ /**
++ * Check if a TCPDF tag is allowed
++ * @param string $method TCPDF method name
++ * @return boolean
++ * @protected
++ */
++ protected function allowedTCPDFtag($method) {
++ if (defined('K_ALLOWED_TCPDF_TAGS')) {
++ return (strpos(K_ALLOWED_TCPDF_TAGS, '|'.$method.'|') !== false);
++ }
++ return false;
++ }
++
++ /**
+ * Prints a cell (rectangular area) with optional borders, background color and html text string.
+ * The upper-left corner of the cell corresponds to the current position. After the call, the current position moves to the right or to the next line.<br />
+ * If automatic page breaking is enabled and the cell goes beyond the limit, a page break is done before outputting.
+@@ -19504,17 +19530,14 @@ Putting 1 is equivalent to putting 0 and
+ case 'tcpdf': {
+ if (defined('K_TCPDF_CALLS_IN_HTML') AND (K_TCPDF_CALLS_IN_HTML === true)) {
+ // Special tag used to call TCPDF methods
+- if (isset($tag['attribute']['method'])) {
+- $tcpdf_method = $tag['attribute']['method'];
+- if (method_exists($this, $tcpdf_method)) {
+- if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) {
+- $params = $this->unserializeTCPDFtagParameters($tag['attribute']['params']);
+- call_user_func_array(array($this, $tcpdf_method), $params);
+- } else {
+- $this->$tcpdf_method();
+- }
+- $this->newline = true;
++ // This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file.
++ // Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.
++ if (!empty($tag['attribute']['data'])) {
++ $tcpdf_tag_data = $this->unserializeTCPDFtag($tag['attribute']['data']);
++ if ($this->allowedTCPDFtag($tcpdf_tag_data['m'])) {
++ call_user_func_array(array($this, $tcpdf_tag_data['m']), $tcpdf_tag_data['p']);
+ }
++ $this->newline = true;
+ }
+ }
+ break;
+Index: tcpdf/config/tcpdf_config.php
+===================================================================
+--- tcpdf.orig/config/tcpdf_config.php
++++ tcpdf/config/tcpdf_config.php
+@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true);
+ define('K_TCPDF_CALLS_IN_HTML', false);
+
+ /**
++ * List of TCPDF methods that are allowed to be called using HTML syntax.
++ * Note: each method name must end with surrounded with | (pipe) character.
++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
++ */
++define('K_ALLOWED_TCPDF_TAGS', '');
++
++/**
+ * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
+ */
+ define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
+Index: tcpdf/examples/example_049.php
+===================================================================
+--- tcpdf.orig/examples/example_049.php
++++ tcpdf/examples/example_049.php
+@@ -2,7 +2,7 @@
+ //============================================================+
+ // File name : example_049.php
+ // Begin : 2009-04-03
+-// Last Update : 2014-12-10
++// Last Update : 2024-03-18
+ //
+ // Description : Example 049 for TCPDF class
+ // WriteHTML with TCPDF callback functions
+@@ -78,11 +78,11 @@ $pdf->AddPage();
+ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+
+ IMPORTANT:
+-If you are printing user-generated content, tcpdf tag can be unsafe.
+-You can disable this tag by setting to false the K_TCPDF_CALLS_IN_HTML
+-constant on TCPDF configuration file.
++If you are printing user-generated content, the tcpdf tag should be considered unsafe.
++This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file.
++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.
+
+-For security reasons, the parameters for the 'params' attribute of TCPDF
++For security reasons, the parameters for the 'params' attribute of TCPDF
+ tag must be prepared as an array and encoded with the
+ serializeTCPDFtagParameters() method (see the example below).
+
+@@ -91,23 +91,25 @@ serializeTCPDFtagParameters() method (se
+
+ $html = '<h1>Test TCPDF Methods in HTML</h1>
+ <h2 style="color:red;">IMPORTANT:</h2>
+-<span style="color:red;">If you are using user-generated content, the tcpdf tag can be unsafe.<br />
+-You can disable this tag by setting to false the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
++<span style="color:red;">If you are using user-generated content, the tcpdf tag should be considered unsafe.<br />
++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.<br />
++This feature is disabled by default by the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
+ <h2>write1DBarcode method in HTML</h2>';
+
+-$params = $pdf->serializeTCPDFtagParameters(array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
++$html .= '<tcpdf data="'.$data.'" />';
+
+-$params = $pdf->serializeTCPDFtagParameters(array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
++$html .= '<tcpdf data="'.$data.'" />';
+
+-$html .= '<tcpdf method="AddPage" /><h2>Graphic Functions</h2>';
++$data = $pdf->serializeTCPDFtag('AddPage');
++$html .= '<tcpdf data="'.$data.'" /><h2>Graphic Functions</h2>';
+
+-$params = $pdf->serializeTCPDFtagParameters(array(0));
+-$html .= '<tcpdf method="SetDrawColor" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('SetDrawColor', array(0));
++$html .= '<tcpdf data="'.$data.'" />';
+
+-$params = $pdf->serializeTCPDFtagParameters(array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
+-$html .= '<tcpdf method="Rect" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('Rect', array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
++$html .= '<tcpdf data="'.$data.'" />';
+
+
+ // output the HTML content
+Index: tcpdf/tcpdf_autoconfig.php
+===================================================================
+--- tcpdf.orig/tcpdf_autoconfig.php
++++ tcpdf/tcpdf_autoconfig.php
+@@ -228,6 +228,10 @@ if (!defined('K_TCPDF_CALLS_IN_HTML')) {
+ define('K_TCPDF_CALLS_IN_HTML', false);
+ }
+
++if (!defined('K_ALLOWED_TCPDF_TAGS')) {
++ define('K_ALLOWED_TCPDF_TAGS', '');
++}
++
+ if (!defined('K_TCPDF_THROW_EXCEPTION_ERROR')) {
+ define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
+ }
+Index: tcpdf/examples/config/tcpdf_config_alt.php
+===================================================================
+--- tcpdf.orig/examples/config/tcpdf_config_alt.php
++++ tcpdf/examples/config/tcpdf_config_alt.php
+@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true);
+ define('K_TCPDF_CALLS_IN_HTML', true);
+
+ /**
++ * List of TCPDF methods that are allowed to be called using HTML syntax.
++ * Note: each method name must end with surrounded with | (pipe) character.
++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
++ */
++define('K_ALLOWED_TCPDF_TAGS', '|AddPage|Rect|SetDrawColor|write1DBarcode|');
++
++/**
+ * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
+ */
+ define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch 2025-05-19 23:34:21.000000000 -0300
@@ -0,0 +1,91 @@
+From bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Sun, 6 Oct 2024 11:38:38 +0100
+Subject: [PATCH] Forbid access to parent folder in HTML images
+
+Bug-Debian: https://bugs.debian.org/1088332
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b
+---
+ CHANGELOG.TXT | 3 +++
+ VERSION | 2 +-
+ composer.json | 2 +-
+ include/tcpdf_static.php | 2 +-
+ tcpdf.php | 53 +++++++++++++++++++++-------------------
+ 5 files changed, 34 insertions(+), 28 deletions(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -18969,29 +18969,29 @@ class TCPDF {
+ $this->setLineWidth($hrHeight);
+
+ $lineStyle = array();
+- if (isset($tag['fgcolor'])) {
+- $lineStyle['color'] = $tag['fgcolor'];
+- }
+-
+- if (isset($tag['fgcolor'])) {
+- $lineStyle['color'] = $tag['fgcolor'];
+- }
+-
+- if (isset($tag['style']['cap'])) {
+- $lineStyle['cap'] = $tag['style']['cap'];
+- }
+-
+- if (isset($tag['style']['join'])) {
+- $lineStyle['join'] = $tag['style']['join'];
+- }
+-
+- if (isset($tag['style']['dash'])) {
+- $lineStyle['dash'] = $tag['style']['dash'];
+- }
+-
+- if (isset($tag['style']['phase'])) {
+- $lineStyle['phase'] = $tag['style']['phase'];
+- }
++ if (isset($tag['fgcolor'])) {
++ $lineStyle['color'] = $tag['fgcolor'];
++ }
++
++ if (isset($tag['fgcolor'])) {
++ $lineStyle['color'] = $tag['fgcolor'];
++ }
++
++ if (isset($tag['style']['cap'])) {
++ $lineStyle['cap'] = $tag['style']['cap'];
++ }
++
++ if (isset($tag['style']['join'])) {
++ $lineStyle['join'] = $tag['style']['join'];
++ }
++
++ if (isset($tag['style']['dash'])) {
++ $lineStyle['dash'] = $tag['style']['dash'];
++ }
++
++ if (isset($tag['style']['phase'])) {
++ $lineStyle['phase'] = $tag['style']['phase'];
++ }
+
+ $lineStyle = array_filter($lineStyle);
+
+@@ -19018,11 +19018,14 @@ class TCPDF {
+ } else if (preg_match('@^data:image/([^;]*);base64,(.*)@', $imgsrc, $reg)) {
+ $imgsrc = '@'.base64_decode($reg[2]);
+ $type = $reg[1];
++ } elseif (str_contains($imgsrc, '../')) {
++ // accessing parent folders is not allowed
++ break;
+ } elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') {
+- // get image type from a local file path
+- $imgsrc = substr($imgsrc, 7);
+- $type = TCPDF_IMAGES::getImageFileType($imgsrc);
+- } else {
++ // get image type from a local file path
++ $imgsrc = substr($imgsrc, 7);
++ $type = TCPDF_IMAGES::getImageFileType($imgsrc);
++ } else {
+ if (($imgsrc[0] === '/') AND !empty($_SERVER['DOCUMENT_ROOT']) AND ($_SERVER['DOCUMENT_ROOT'] != '/')) {
+ // fix image path
+ $findroot = strpos($imgsrc, $_SERVER['DOCUMENT_ROOT']);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch 2025-05-19 23:34:58.000000000 -0300
@@ -0,0 +1,26 @@
+From c9f41cbb84880bdb4fc3e0a9d287214d1ac4d7f4 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:55:00 +0000
+Subject: [PATCH] Sanitize font-family attribute.
+
+Bug-Debian: https://bugs.debian.org/1091685
+---
+ tcpdf.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tcpdf.php b/tcpdf.php
+index 7afe65b..e364c3b 100644
+--- a/tcpdf.php
++++ b/tcpdf.php
+@@ -23486,7 +23486,7 @@ class TCPDF {
+ if (preg_match('/font-family[\s]*:[\s]*([^\;\"]*)/si', $svgstyle['font'], $regs)) {
+ $font_family = $this->getFontFamilyName($regs[1]);
+ } else {
+- $font_family = $svgstyle['font-family'];
++ $font_family = $this->getFontFamilyName($svgstyle['font-family']);
+ }
+ if (preg_match('/font-size[\s]*:[\s]*([^\s\;\"]*)/si', $svgstyle['font'], $regs)) {
+ $font_size = trim($regs[1]);
+--
+2.39.5
+
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch 2025-05-19 23:35:44.000000000 -0300
@@ -0,0 +1,129 @@
+From a0a02efe487cc39bd5223359e916dbeafb5cd6fe Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:43:22 +0000
+Subject: [PATCH] Add some addTTFfont fixes from tc-lib-pdf-font
+
+Bug-Debian: https://bugs.debian.org/1091686
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/a0a02efe487cc39bd5223359e916dbeafb5cd6fe
+---
+ CHANGELOG.TXT | 1 +
+ include/tcpdf_fonts.php | 43 +++++++++++++++++++++--------------------
+ 2 files changed, 23 insertions(+), 21 deletions(-)
+
+Index: tcpdf/include/tcpdf_fonts.php
+===================================================================
+--- tcpdf.orig/include/tcpdf_fonts.php
++++ tcpdf/include/tcpdf_fonts.php
+@@ -1,13 +1,13 @@
+ <?php
+ //============================================================+
+ // File name : tcpdf_fonts.php
+-// Version : 1.1.0
++// Version : 1.1.1
+ // Begin : 2008-01-01
+-// Last Update : 2014-12-10
++// Last Update : 2024-12-23
+ // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
+ // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
+ // -------------------------------------------------------------------
+-// Copyright (C) 2008-2014 Nicola Asuni - Tecnick.com LTD
++// Copyright (C) 2008-2024 Nicola Asuni - Tecnick.com LTD
+ //
+ // This file is part of TCPDF software library.
+ //
+@@ -42,7 +42,7 @@
+ * @class TCPDF_FONTS
+ * Font methods for TCPDF library.
+ * @package com.tecnick.tcpdf
+- * @version 1.1.0
++ * @version 1.1.1
+ * @author Nicola Asuni - info@tecnick.com
+ */
+ class TCPDF_FONTS {
+@@ -191,29 +191,30 @@ class TCPDF_FONTS {
+ fclose($fp);
+ // get font info
+ $fmetric['Flags'] = $flags;
+- preg_match ('#/FullName[\s]*\(([^\)]*)#', $font, $matches);
++ preg_match ('#/FullName[\s]*+\(([^\)]*+)#', $font, $matches);
+ $fmetric['name'] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $matches[1]);
+- preg_match('#/FontBBox[\s]*{([^}]*)#', $font, $matches);
+- $fmetric['bbox'] = trim($matches[1]);
+- $bv = explode(' ', $fmetric['bbox']);
+- $fmetric['Ascent'] = intval($bv[3]);
+- $fmetric['Descent'] = intval($bv[1]);
+- preg_match('#/ItalicAngle[\s]*([0-9\+\-]*)#', $font, $matches);
++ preg_match('#/FontBBox[\s]*+{([^}]*+)#', $font, $matches);
++ $rawbvl = explode(' ', trim($matches[1]));
++ $bvl = [(int) $rawbvl[0], (int) $rawbvl[1], (int) $rawbvl[2], (int) $rawbvl[3]];
++ $fmetric['bbox'] = implode(' ', $bvl);
++ $fmetric['Ascent'] = $bvl[3];
++ $fmetric['Descent'] = $bvl[1];
++ preg_match('#/ItalicAngle[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ $fmetric['italicAngle'] = intval($matches[1]);
+ if ($fmetric['italicAngle'] != 0) {
+ $fmetric['Flags'] |= 64;
+ }
+- preg_match('#/UnderlinePosition[\s]*([0-9\+\-]*)#', $font, $matches);
++ preg_match('#/UnderlinePosition[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ $fmetric['underlinePosition'] = intval($matches[1]);
+- preg_match('#/UnderlineThickness[\s]*([0-9\+\-]*)#', $font, $matches);
++ preg_match('#/UnderlineThickness[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ $fmetric['underlineThickness'] = intval($matches[1]);
+- preg_match('#/isFixedPitch[\s]*([^\s]*)#', $font, $matches);
++ preg_match('#/isFixedPitch[\s]*+([^\s]*+)#', $font, $matches);
+ if ($matches[1] == 'true') {
+ $fmetric['Flags'] |= 1;
+ }
+ // get internal map
+ $imap = array();
+- if (preg_match_all('#dup[\s]([0-9]+)[\s]*/([^\s]*)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) {
++ if (preg_match_all('#dup[\s]([0-9]+)[\s]*+/([^\s]*+)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) {
+ foreach ($fmap as $v) {
+ $imap[$v[2]] = $v[1];
+ }
+@@ -229,22 +230,22 @@ class TCPDF_FONTS {
+ $eplain .= chr($chr ^ ($r >> 8));
+ $r = ((($chr + $r) * $c1 + $c2) % 65536);
+ }
+- if (preg_match('#/ForceBold[\s]*([^\s]*)#', $eplain, $matches) > 0) {
++ if (preg_match('#/ForceBold[\s]*+([^\s]*+)#', $eplain, $matches) > 0) {
+ if ($matches[1] == 'true') {
+ $fmetric['Flags'] |= 0x40000;
+ }
+ }
+- if (preg_match('#/StdVW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++ if (preg_match('#/StdVW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ $fmetric['StemV'] = intval($matches[1]);
+ } else {
+ $fmetric['StemV'] = 70;
+ }
+- if (preg_match('#/StdHW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++ if (preg_match('#/StdHW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ $fmetric['StemH'] = intval($matches[1]);
+ } else {
+ $fmetric['StemH'] = 30;
+ }
+- if (preg_match('#/BlueValues[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++ if (preg_match('#/BlueValues[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ $bv = explode(' ', $matches[1]);
+ if (count($bv) >= 6) {
+ $v1 = intval($bv[2]);
+@@ -265,7 +266,7 @@ class TCPDF_FONTS {
+ $fmetric['CapHeight'] = 700;
+ }
+ // get the number of random bytes at the beginning of charstrings
+- if (preg_match('#/lenIV[\s]*([0-9]*)#', $eplain, $matches) > 0) {
++ if (preg_match('#/lenIV[\s]*+([\d]*+)#', $eplain, $matches) > 0) {
+ $lenIV = intval($matches[1]);
+ } else {
+ $lenIV = 4;
+@@ -273,7 +274,7 @@ class TCPDF_FONTS {
+ $fmetric['Leading'] = 0;
+ // get charstring data
+ $eplain = substr($eplain, (strpos($eplain, '/CharStrings') + 1));
+- preg_match_all('#/([A-Za-z0-9\.]*)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER);
++ preg_match_all('#/([A-Za-z0-9\.]*+)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER);
+ if (!empty($enc) AND isset(TCPDF_FONT_DATA::$encmap[$enc])) {
+ $enc_map = TCPDF_FONT_DATA::$encmap[$enc];
+ } else {
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch 2025-05-19 23:39:30.000000000 -0300
@@ -0,0 +1,26 @@
+From d54b97cec33f4f1a5ad81119a82085cad93cec89 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:15:14 +0000
+Subject: [PATCH] Use strict time-constant function to compare TCPDF-tag
+ hashes.
+
+Bug-Debian: https://bugs.debian.org/1091688
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89
+---
+ CHANGELOG.TXT | 1 +
+ tcpdf.php | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -17236,7 +17236,7 @@ class TCPDF {
+ $hlen = intval(substr($data, 0, $hpos));
+ $hash = substr($data, $hpos + 1, $hlen);
+ $encoded = substr($data, $hpos + 2 + $hlen);
+- if ($hash != $this->hashTCPDFtag($encoded)) {
++ if (!hash_equals( $this->hashTCPDFtag($encoded), $hash)) {
+ $this->Error('Invalid parameters');
+ }
+ return json_decode(urldecode($encoded), true);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch 1969-12-31 21:00:00.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch 2025-05-19 23:42:45.000000000 -0300
@@ -0,0 +1,24 @@
+From 11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:12:07 +0000
+Subject: [PATCH] Escape error message
+
+Bug-Debian: https://bugs.debian.org/1091689
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1
+---
+ CHANGELOG.TXT | 2 +-
+ tcpdf.php | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -3006,6 +3006,7 @@ class TCPDF {
+ public function Error($msg) {
+ // unset all class variables
+ $this->_destroy(true);
++ $msg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
+ if (defined('K_TCPDF_THROW_EXCEPTION_ERROR') AND !K_TCPDF_THROW_EXCEPTION_ERROR) {
+ die('<strong>TCPDF ERROR: </strong>'.$msg);
+ } else {
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/series tcpdf-6.6.2+dfsg1/debian/patches/series
--- tcpdf-6.6.2+dfsg1/debian/patches/series 2022-12-23 17:08:41.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/patches/series 2025-05-19 23:45:43.000000000 -0300
@@ -1 +1,9 @@
0001-Update-the-composer-example-to-use-the-Debian-includ.patch
+0001-fix-CSV-2024-22640-712.patch
+0001-Update-regexp-to-fix-CVE-2024-22641.patch
+CVE-2024-32489.patch
+CVE-2024-51058.patch
+CVE-2024-56519.patch
+CVE-2024-56520.patch
+CVE-2024-56522.patch
+CVE-2024-56527.patch
diff -Nru tcpdf-6.6.2+dfsg1/debian/rules tcpdf-6.6.2+dfsg1/debian/rules
--- tcpdf-6.6.2+dfsg1/debian/rules 2022-12-16 18:19:19.000000000 -0300
+++ tcpdf-6.6.2+dfsg1/debian/rules 2025-05-15 22:49:47.000000000 -0300
@@ -18,4 +18,5 @@
--blacklist mc_tcpdf \
--blacklist mypdf \
--blacklist toc_tcpdf \
+ --exclude */.pc/* \
--output autoload.php .
Attachment:
signature.asc
Description: PGP signature