Bonjour Santiago & hello security team,
https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm
The changes look fine, but here is two minor things:- the phpab change seems weird to me but, maybe because I use gbp-buildpackage. - the salsa CI change should not be needed one I switch the repo CI to "recipes/debian.yml@salsa-ci-team/pipeline" because the branch name will be okay.
- See: https://udd.debian.org/salsa/?williamdes%40wdes.fr- If possible please change the Vcs branch at https://salsa.debian.org/phpmyadmin-team/tcpdf/-/blob/wip/santiago/debian/bookworm/debian/control#L12
Else, you can push to a debian/bookworm branch and release the changes. Each commit looks good.
Thank you for all your work ! And very sorry for not finding more time to dig into the tcpdf CVEs. Let me know for the upload. -- William Desportes Le 2025/05/26 18:44, Santiago Ruano Rincón a écrit :
Bonjour William, hello security team, El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió:El 16/05/25 a las 21:08, William Desportes escribió: > Hello, > > Thank you for reaching out to me. > Do you have access to the salsa repository?[...] This is a quick update about fixing the open issues for tcpdf. I've pushed the current WIP update at: https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm> Sure it is best to extract the commit [that fixes CVE-2024-32489]Done.> For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.I've been unable to reproduce the POCs for CVE-2024-22640 andCVE-2024-22641. Not sure how these can be exploited on a regular system.Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl.Did like you suggested.> And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are.Other than those two ReDoS issues already mentioned (BTW CVE-2024-56520 seems to be ReDoS-related too), so far, I haven't been able to exploit any of the other open issues either. I could give a better try to some of them (e.g CVE-2024-51058), but I fear that I will be difficult to fully test all of those CVEs and their fixes . Help is welcome on that side. Other than that, I have verified that autopkgtest for both, the currentversion [0] in bookworm and the proposed update work correctly [1]. Thatincludes locally running the different example files (based debian/tests/test.sh) and checked the results. This includes example_049.php, that was modified with the patch for CVE-2024-32489. [0] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7616586 [1] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7601105 Debdiff attached for convenience. Cheers, -- Santiago
Attachment:
signature.asc
Description: OpenPGP digital signature