Bug#1015874: marked as done (php-dompdf: CVE-2022-2400)
Your message dated Fri, 03 Feb 2023 22:19:27 +0000
with message-id <E1pO4P1-002aku-Mo@fasolo.debian.org>
and subject line Bug#1015874: fixed in php-dompdf 2.0.2+dfsg-1
has caused the Debian Bug report #1015874,
regarding php-dompdf: CVE-2022-2400
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1015874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015874
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: php-dompdf: CVE-2022-2400
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Fri, 22 Jul 2022 22:55:28 +0200
- Message-id: <YtsOwIORWiH9aOqs@pisco.westfalen.local>
Source: php-dompdf
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-dompdf.
CVE-2022-2400[0]:
| External Control of File Name or Path in GitHub repository
| dompdf/dompdf prior to 2.0.0.
https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a
The isolated patch is
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
but if php- dompdfis to be included in Bookworm, it should really
be updated to 2.0.0, otherwise the current version will be over
seven years old when Bookworm gets released.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-2400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2400
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: php-dompdf
Source-Version: 2.0.2+dfsg-1
Done: William Desportes <williamdes@wdes.fr>
We believe that the bug you reported is fixed in the latest version of
php-dompdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1015874@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Desportes <williamdes@wdes.fr> (supplier of updated php-dompdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Feb 2023 22:53:19 +0100
Source: php-dompdf
Built-For-Profiles: noudeb
Architecture: source
Version: 2.0.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: William Desportes <williamdes@wdes.fr>
Closes: 1015874
Changes:
php-dompdf (2.0.2+dfsg-1) unstable; urgency=medium
.
[ Katharina Drexel ]
* Refresh the packaging
.
[ William Desportes ]
* Remove dfsg fonts lib/fonts/*.afm
* Remove dfsg fonts lib/fonts/DejaVu*.{ufm, ttf}
* New upstream version 2.0.1 (Closes: #1015874, CVE-2022-2400)
* New upstream version 2.0.2 (CVE-2023-23924)
* Document copyrights of debian/* files
* Set Uploaders to myself
* Remove Suggests: php-apcu, php-cli and php-tcpdf
* Install the VERSION file because the code needs it
* Add var/cache/php-dompdf/tmp to d/dirs
* Add pkg-php-tools overrides and autoloaders
* Add a patch to change directories to Debian folders
* Add a patch for fontDir to work on build tests
* Depend on fonts-dejavu-{extra,core} and sdop for fonts
Checksums-Sha1:
82218e0b0d63c7a6b53c565f64fefd053ecf401b 2330 php-dompdf_2.0.2+dfsg-1.dsc
1b814762f1afcecc0913141a4cd2a8cc255c2db7 1564668 php-dompdf_2.0.2+dfsg.orig.tar.xz
657966365e8f6c6576b39b4725663afb67a0840c 17520 php-dompdf_2.0.2+dfsg-1.debian.tar.xz
7e13d8fc763435ab54444ed8ed9bd2845f197b95 64486 php-dompdf_2.0.2+dfsg-1_source.buildinfo
Checksums-Sha256:
59781a4c7b1d641ea07e61d80fb8b9f356e51c384a01ce3e25845eebfefb9295 2330 php-dompdf_2.0.2+dfsg-1.dsc
5832ff777760df0486a80897e9cdda510cd29243cb1f0aca36ae64a6892fc987 1564668 php-dompdf_2.0.2+dfsg.orig.tar.xz
3463ea179810640aff2511c8c60f2a7539d7bd22ed2f235a3111ca753d25db74 17520 php-dompdf_2.0.2+dfsg-1.debian.tar.xz
599d363d85cf25310d622b51f6d0e380147f222f9c61808101a7999aeae8644a 64486 php-dompdf_2.0.2+dfsg-1_source.buildinfo
Files:
81129c196bcfc678182134a7f29dd360 2330 php optional php-dompdf_2.0.2+dfsg-1.dsc
2451eab31dd44c3da1f159631baff3c9 1564668 php optional php-dompdf_2.0.2+dfsg.orig.tar.xz
8409580f9a729fad9d5b2ea172d4912d 17520 php optional php-dompdf_2.0.2+dfsg-1.debian.tar.xz
4e03894e52f80c52e39a7451abb44bd9 64486 php optional php-dompdf_2.0.2+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExNkf3872tKPGU/14kKDvG4JRqIkFAmPdgswACgkQkKDvG4JR
qIk0gA//btR9s1ZPDB0RgFhDHmF8gWgLJkeOLK1RzWLoZB3eB539S8hAnZsJwxCv
NyIIVb0DDMgRXkTfx0tkxsQbveI7/742zCjj8JJxdykFSSAYaniXOAKyWAGuvn9L
iTOzIZE4i+ahAFhQ5sTCucwoSUlKqCE5sWY3rZZ1XSbfrLHfqDe2kjqwwntDznzw
QNCH/rdKUR/NyjOmTjhf0KHTxwl90JXUTVXvckVAcealVRureW6QxjUYf6YkQb2l
uGAkwhPML13cckR7tprgnfTJoa+CZ31XpmOpo5wto/kevrgwOZIbTGxT/HBGmBYZ
RsARu5nJgtTCYNXELxtlQvMZbqlHtiKTN2ol3uMXH//dj32isFPyO8azZL66mb/N
5n7FIFmffZgpevCnX2Lf7XMFwuhDUCT+4NgWrJeBUfBiAWj9SuApL0iy1S/ML7Hh
85Mot3TDQlde5gDAmhY1d3U2N13L+L+RskUH5ROVSJDxV6RmG488bdfK0iWZbXcx
EVbC9mMA7wu0NwQFHPXJbhEpSIvsJHEIyQJ/I6wQI7SE6wzpQ+2l7KPXWAb9LnbU
HZup549NOXTsm50Mnr12tF326iiW1bxxoeOqMOxRKg6VmNNc4a6mCIFEbD9vzj2b
TuscH8NODHuBg0tghGu48ZfrxCwTOsfBUiGaAnTpnz+MgBVnYps=
=TJV4
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: