[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcpdf {old,}stable security update



Bonjour Santiago & hello security team,

https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm

The changes look fine, but here is two minor things:
- the phpab change seems weird to me but, maybe because I use gbp-buildpackage. - the salsa CI change should not be needed one I switch the repo CI to "recipes/debian.yml@salsa-ci-team/pipeline" because the branch name will be okay.
   - See: https://udd.debian.org/salsa/?williamdes%40wdes.fr
- If possible please change the Vcs branch at https://salsa.debian.org/phpmyadmin-team/tcpdf/-/blob/wip/santiago/debian/bookworm/debian/control#L12

Else, you can push to a debian/bookworm branch and release the changes. Each commit looks good.

Thank you for all your work !
And very sorry for not finding more time to dig into the tcpdf CVEs.

Let me know for the upload.

--
William Desportes
Le 2025/05/26 18:44, Santiago Ruano Rincón a écrit :
Bonjour William, hello security team,

El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió:
El 16/05/25 a las 21:08, William Desportes escribió:
> Hello,
>
> Thank you for reaching out to me.
> Do you have access to the salsa repository?

[...]

This is a quick update about fixing the open issues for tcpdf. I've
pushed the current WIP update at:

https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm

> Sure it is best to extract the commit [that fixes CVE-2024-32489]

Done.

> For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.

I've been unable to reproduce the POCs for CVE-2024-22640 and
CVE-2024-22641. Not sure how these can be exploited on a regular system.

Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl.

Did like you suggested.

> And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are.

Other than those two ReDoS issues already mentioned (BTW CVE-2024-56520
seems to be ReDoS-related too), so far, I haven't been able to exploit
any of the other open issues either.  I could give a better try to some
of them (e.g  CVE-2024-51058), but I fear that I will be difficult to
fully test all of those CVEs and their fixes . Help is welcome on that
side.

Other than that, I have verified that autopkgtest for both, the current
version [0] in bookworm and the proposed update work correctly [1]. That
includes locally running the different example files (based
debian/tests/test.sh) and checked the results. This includes
example_049.php, that was modified with the patch for CVE-2024-32489.

[0] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7616586
[1] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7601105

Debdiff attached for convenience.

Cheers,

 -- Santiago

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: