I made an error when copying and paste the CVE number in my first request.
diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/changelog
--- tcpdf-6.0.093+dfsg/debian/changelog 2014-09-07 17:22:38.000000000 +0200
+++ tcpdf-6.0.093+dfsg/debian/changelog 2017-02-23 18:36:27.000000000 +0100
@@ -1,3 +1,9 @@
+tcpdf (6.0.093+dfsg-1+deb8u1) UNRELEASED; urgency=medium
+
+ * Fix CVE-2017-6100 (Closes: #814030)
+
+
tcpdf (6.0.093+dfsg-1) unstable; urgency=medium
* New upstream release 6.0.093+dfsg
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch
--- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch 1970-01-01 01:00:00.000000000 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch 2017-02-23 18:36:27.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
+Forwarded: not-needed
+Last-Update: 2013-07-29
+---
+--- a/config/tcpdf_config.php
++++ b/config/tcpdf_config.php
+@@ -210,7 +210,7 @@
+ * If true allows to call TCPDF methods using HTML syntax
+ * IMPORTANT: For security reason, disable this feature if you are printing user HTML content.
+ */
+-define('K_TCPDF_CALLS_IN_HTML', true);
++define('K_TCPDF_CALLS_IN_HTML', false);
+
+ /**
+ * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series
--- tcpdf-6.0.093+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/series 2017-02-23 18:36:27.000000000 +0100
@@ -0,0 +1 @@
+default-K_TCPDF_CALLS_IN_HTML-to-false.patch