[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861926: Acknowledgement (jessie-pu: package php-tcpdf/6.0.093+dfsg-1)

Control: tag -1 confirmed

Hi,

Laurent Destailleur (aka Eldy) <eldy@destailleur.fr> (2017-05-06):
> I made an error when copying and paste the CVE number in my first request.
> Bug number was correct, so #814030, but CVE related is CVE-2017-6100
> 
> 
> Also, this is the full debdiff (i previously provided only the patch file): […]

Next time, please attach the full debdiff properly instead of inlining
it, it gets line-wrapped, which makes it hard to read, check, and apply.
It was additionally rejected by dpkg-source:
| patching file config/tcpdf_config.php
| Hunk #1 FAILED at 210.
| 1 out of 1 hunk FAILED
| dpkg-source: info: the patch has fuzz which is not allowed, or is malformed

Anyway, no objection on the patch itself, except for the lack of
documentation in the changelog. I'm attaching a new debdiff which is a
bit more descriptive.

Feel free to upload.


KiBi.

diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/changelog
--- tcpdf-6.0.093+dfsg/debian/changelog	2014-09-07 17:22:38.000000000 +0200
+++ tcpdf-6.0.093+dfsg/debian/changelog	2017-06-27 22:45:18.000000000 +0200
@@ -1,3 +1,10 @@
+tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium
+
+  [ Laurent Destailleur (eldy) ]
+  * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030)
+
+ -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net>  Tue, 27 Jun 2017 22:44:33 +0200
+
 tcpdf (6.0.093+dfsg-1) unstable; urgency=medium
 
   * New upstream release 6.0.093+dfsg
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch
--- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch	1970-01-01 01:00:00.000000000 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch	2017-06-27 22:42:54.000000000 +0200
@@ -0,0 +1,17 @@
+Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
+Author: Laurent Destailleur <eldy@users.sourceforge.net>
+Forwarded: not-needed
+Last-Update: 2013-07-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/config/tcpdf_config.php
++++ b/config/tcpdf_config.php
+@@ -210,7 +210,7 @@ define('K_THAI_TOPCHARS', true);
+  * If true allows to call TCPDF methods using HTML syntax
+  * IMPORTANT: For security reason, disable this feature if you are printing user HTML content.
+  */
+-define('K_TCPDF_CALLS_IN_HTML', true);
++define('K_TCPDF_CALLS_IN_HTML', false);
+ 
+ /**
+  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series
--- tcpdf-6.0.093+dfsg/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ tcpdf-6.0.093+dfsg/debian/patches/series	2017-06-27 22:42:17.000000000 +0200
@@ -0,0 +1 @@
+default-K_TCPDF_CALLS_IN_HTML-to-false.patch

Attachment: signature.asc
Description: Digital signature

Reply to: