Your message dated Wed, 23 Apr 2014 17:50:03 -0400
with message-id <[email protected]>
and subject line Re: Bug#745619: dompdf: CVE-2014-2383: arbitrary file read
has caused the Debian Bug report #745619,
regarding dompdf: CVE-2014-2383: arbitrary file read
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
745619: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745619
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php-dompdf
Version: 0.6.0~beta3+dfsg0-1
Severity: normal
Tags: security, fixed-upstream
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
https://github.com/dompdf/dompdf/releases
User is in risk if he/she has enabled DOMPDF_ENABLE_REMOTE in
dompdf_config.inc.php, which is not recommended:
271 /**
272 * Enable remote file access
273 *
274 * If this setting is set to true, DOMPDF will access remote sites for
275 * images and CSS files as required.
276 * This is required for part of test case www/test/image_variants.html
through www/examples.php
277 *
278 * Attention!
279 * This can be a security risk, in particular in combination with
DOMPDF_ENABLE_PHP and
280 * allowing remote access to dompdf.php or on allowing remote html code to
be passed to
281 * $dompdf = new DOMPDF(); $dompdf->load_html(...);
282 * This allows anonymous users to download legally doubtful internet
content which on
283 * tracing back appears to being downloaded by your server, or allows
malicious php code
284 * in remote html pages to be executed by your server with your account
privileges.
285 *
286 * @var bool
287 */
288 def("DOMPDF_ENABLE_REMOTE", false);
Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
include only 90 characters (no line breaks). Low priority issue.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php-dompdf depends on:
ii fonts-dejavu 2.34-1
ii php-font-lib 0~20120210+dfsg-1
ii php5 5.5.11+dfsg-3
ii php5-cli 5.5.11+dfsg-3
ii sdop 0.80-1
php-dompdf recommends no packages.
Versions of packages php-dompdf suggests:
pn php-tcpdf <none>
ii php5-cli 5.5.11+dfsg-3
pn php5-gd <none>
-- no debconf information
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 0.6.1+dfsg-1
On Wed, Apr 23, 2014 at 03:09:02PM +0300, Henri Salo wrote:
> Package: php-dompdf
[…]
> Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
> include only 90 characters (no line breaks). Low priority issue.
Thanks, since 0.6.1+dfsg-1 was already in experimental, I just uploaded
0.6.1+dfsg-2 to Sid.
Regards
David
signature.asc
Description: Digital signature
--- End Message ---
