El 27/05/25 a las 08:47, William Desportes escribió: > Bonjour Santiago & hello security team, > > > https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm > > The changes look fine, but here is two minor things: > - the phpab change seems weird to me but, maybe because I use > gbp-buildpackage. I also use gbp buildpackage (+sbuild), so does the Salsa CI pipeline. And this latter is not happy if I revert the change: https://salsa.debian.org/santiago/tcpdf/-/jobs/7632126#L1054 > - the salsa CI change should not be needed one I switch the repo CI to > "recipes/debian.yml@salsa-ci-team/pipeline" because the branch name will be > okay. With my Salsa CI maintainer hat on, I'd recommend to stick with my change. Explicitly setting the RELEASE name in the CI config file is more reliable. The automation method to detect the release is based on debian/changelog. If somebody else in the future triggers a pipeline for an UNRELEASED package, even if it's in debian/bookworm, it will be run for sid. And, those CI configs based on recipes are not reliable. I've encountered a couple of issues, especially related to variable inheritance. > - See: https://udd.debian.org/salsa/?williamdes%40wdes.fr > - If possible please change the Vcs branch at https://salsa.debian.org/phpmyadmin-team/tcpdf/-/blob/wip/santiago/debian/bookworm/debian/control#L12 Done! > > Else, you can push to a debian/bookworm branch and release the changes. Each > commit looks good. Thanks! If you don't mind, I'd like to wait for the security team input first. > > Thank you for all your work ! > And very sorry for not finding more time to dig into the tcpdf CVEs. Thanks for reviewing! > > Let me know for the upload. > > -- > William Desportes > Le 2025/05/26 18:44, Santiago Ruano Rincón a écrit : > > Bonjour William, hello security team, > > > > El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió: > > > El 16/05/25 a las 21:08, William Desportes escribió: > > > > Hello, > > > > > > > > Thank you for reaching out to me. > > > > Do you have access to the salsa repository? > > > > [...] > > > > This is a quick update about fixing the open issues for tcpdf. I've > > pushed the current WIP update at: > > > > https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm > > > > > > Sure it is best to extract the commit [that fixes CVE-2024-32489] > > > > Done. > > > > > > For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit. > > > > I've been unable to reproduce the POCs for CVE-2024-22640 and > > CVE-2024-22641. Not sure how these can be exploited on a regular system. > > > > > > Also, do not backport the curl changes done to fix one of the > > > > CVEs, it would require the Dependency of php-curl. > > > > Did like you suggested. > > > > > > And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. > > > > Other than those two ReDoS issues already mentioned (BTW CVE-2024-56520 > > seems to be ReDoS-related too), so far, I haven't been able to exploit > > any of the other open issues either. I could give a better try to some > > of them (e.g CVE-2024-51058), but I fear that I will be difficult to > > fully test all of those CVEs and their fixes . Help is welcome on that > > side. > > > > Other than that, I have verified that autopkgtest for both, the current > > version [0] in bookworm and the proposed update work correctly [1]. That > > includes locally running the different example files (based > > debian/tests/test.sh) and checked the results. This includes > > example_049.php, that was modified with the patch for CVE-2024-32489. > > > > [0] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7616586 > > [1] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7601105 > > > > Debdiff attached for convenience. > > > > Cheers, > > > > -- Santiago
Attachment:
signature.asc
Description: PGP signature