Control: tag -1 confirmed Hi, Laurent Destailleur (aka Eldy) <eldy@destailleur.fr> (2017-05-06): > I made an error when copying and paste the CVE number in my first request. > Bug number was correct, so #814030, but CVE related is CVE-2017-6100 > > > Also, this is the full debdiff (i previously provided only the patch file): […] Next time, please attach the full debdiff properly instead of inlining it, it gets line-wrapped, which makes it hard to read, check, and apply. It was additionally rejected by dpkg-source: | patching file config/tcpdf_config.php | Hunk #1 FAILED at 210. | 1 out of 1 hunk FAILED | dpkg-source: info: the patch has fuzz which is not allowed, or is malformed Anyway, no objection on the patch itself, except for the lack of documentation in the changelog. I'm attaching a new debdiff which is a bit more descriptive. Feel free to upload. KiBi.
diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/changelog --- tcpdf-6.0.093+dfsg/debian/changelog 2014-09-07 17:22:38.000000000 +0200 +++ tcpdf-6.0.093+dfsg/debian/changelog 2017-06-27 22:45:18.000000000 +0200 @@ -1,3 +1,10 @@ +tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium + + [ Laurent Destailleur (eldy) ] + * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030) + + -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net> Tue, 27 Jun 2017 22:44:33 +0200 + tcpdf (6.0.093+dfsg-1) unstable; urgency=medium * New upstream release 6.0.093+dfsg diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch --- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch 1970-01-01 01:00:00.000000000 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch 2017-06-27 22:42:54.000000000 +0200 @@ -0,0 +1,17 @@ +Description: Set default value of K_TCPDF_CALLS_IN_HTML to false. +Author: Laurent Destailleur <eldy@users.sourceforge.net> +Forwarded: not-needed +Last-Update: 2013-07-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/config/tcpdf_config.php ++++ b/config/tcpdf_config.php +@@ -210,7 +210,7 @@ define('K_THAI_TOPCHARS', true); + * If true allows to call TCPDF methods using HTML syntax + * IMPORTANT: For security reason, disable this feature if you are printing user HTML content. + */ +-define('K_TCPDF_CALLS_IN_HTML', true); ++define('K_TCPDF_CALLS_IN_HTML', false); + + /** + * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series --- tcpdf-6.0.093+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/series 2017-06-27 22:42:17.000000000 +0200 @@ -0,0 +1 @@ +default-K_TCPDF_CALLS_IN_HTML-to-false.patch
Attachment:
signature.asc
Description: Digital signature