Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
I request permission to upload a fix of package php-tcpdf to fix security bug CVE-2015-3935 #814030
https://sourceforge.net/p/tcpdf/bugs/1005/
Fix is as simple as the following patch. Non regression tested with success on package "dolibarr" and "phpmyadmin".
Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
Author: Laurent Destailleur <eldy@users.sourceforge.net>
Forwarded: not-needed
Last-Update: 2013-07-29
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/config/tcpdf_config.php
+++ b/config/tcpdf_config.php
@@ -210,7 +210,7 @@
* If true allows to call TCPDF methods using HTML syntax
* IMPORTANT: For security reason, disable this feature if you are printing user HTML content.
*/
-define('K_TCPDF_CALLS_IN_HTML', true);
+define('K_TCPDF_CALLS_IN_HTML', false);
/**
* If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
-- System Information:
Debian Release: jessie/sid
APT prefers trusty-updates
APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.0-46-generic (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: