Bonjour William, hello security team, El 16/05/25 a las 17:37, Santiago Ruano Rincón escribió: > El 16/05/25 a las 21:08, William Desportes escribió: > > Hello, > > > > Thank you for reaching out to me. > > Do you have access to the salsa repository?
[...] This is a quick update about fixing the open issues for tcpdf. I've pushed the current WIP update at: https://salsa.debian.org/phpmyadmin-team/tcpdf/-/tree/wip/santiago/debian/bookworm > > Sure it is best to extract the commit [that fixes CVE-2024-32489] Done. > > For another CVE maybe the one you are searching for: > > <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> > > is the ReDoS commit. I've been unable to reproduce the POCs for CVE-2024-22640 and CVE-2024-22641. Not sure how these can be exploited on a regular system. >> Also, do not backport the curl changes done to fix one of the CVEs, it would >> require the Dependency of php-curl. Did like you suggested. > > And yes, no POC to be found. Quite a shame, fixes come out of nowhere and > > are released as they are. Other than those two ReDoS issues already mentioned (BTW CVE-2024-56520 seems to be ReDoS-related too), so far, I haven't been able to exploit any of the other open issues either. I could give a better try to some of them (e.g CVE-2024-51058), but I fear that I will be difficult to fully test all of those CVEs and their fixes . Help is welcome on that side. Other than that, I have verified that autopkgtest for both, the current version [0] in bookworm and the proposed update work correctly [1]. That includes locally running the different example files (based debian/tests/test.sh) and checked the results. This includes example_049.php, that was modified with the patch for CVE-2024-32489. [0] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7616586 [1] https://salsa.debian.org/phpmyadmin-team/tcpdf/-/jobs/7601105 Debdiff attached for convenience. Cheers, -- Santiago
diff -Nru tcpdf-6.6.2+dfsg1/debian/changelog tcpdf-6.6.2+dfsg1/debian/changelog --- tcpdf-6.6.2+dfsg1/debian/changelog 2022-12-23 17:14:51.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/changelog 2025-05-19 23:47:41.000000000 -0300 @@ -1,3 +1,26 @@ +tcpdf (6.6.2+dfsg1-1+deb12u1) bookworm-security; urgency=medium + + * Exclude quilt managed directory .pc/ from phpab in debian/rules + * Explicitly specify RELEASE: bookworm in d/gitlab-ci.yml + * Fix CVE-2024-22640: ReDoS (Regular Expression Denial of Service) if + parsing an untrusted HTML page with a crafted color + * Fix CVE-2024-22641: ReDoS (Regular Expression Denial of Service) if + parsing an untrusted SVG file (Closes: #1072528) + * Fix CVE-2024-32489: tcpdf mishandles calls that use HTML syntax + * Fix CVE-2024-51058: Local File Inclusion (LFI) vulnerability through <img> + src tag (Closes: #1088332) + * Fix CVE-2024-56519: setSVGStyles does not sanitize the SVG font-family + attribute (Closes: #1091685) + * Fix CVE-2024-56520: tcpdf, throught its use of tc-lib-pdf-font, mishandles + fonts like FontBBox for Type 1 and misparses TrueType fonts + (Closes: #1091686) + * Fix CVE-2024-56522: unserializeTCPDFtag doesn't make use of constant-time + function to compare TCPDF tag hashes (Closes: #1091688) + * Fix CVE-2024-56527: the Error function lacks an htmlspecialchars call for + the error message (Closes: #1091689) + + -- Santiago Ruano Rincón <[email protected]> Mon, 19 May 2025 23:47:41 -0300 + tcpdf (6.6.2+dfsg1-1) unstable; urgency=medium * New upstream version 6.6.2+dfsg1 diff -Nru tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml --- tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml 2022-12-23 17:14:51.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml 2025-05-15 22:49:47.000000000 -0300 @@ -4,3 +4,4 @@ variables: SALSA_CI_REPROTEST_ARGS: '--print-sudoers --vary=user_group.available+=root:root --vary=user_group.available+=www-data:www-data --vary=domain_host.use_sudo=1' + RELEASE: bookworm diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch --- tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch 2025-05-15 22:49:47.000000000 -0300 @@ -0,0 +1,29 @@ +From 05f3a28f4a7905019469e040cf77e53d6aa7f679 Mon Sep 17 00:00:00 2001 +From: Josh <[email protected]> +Date: Sun, 21 Apr 2024 05:03:05 +1200 +Subject: [PATCH] fix: CSV-2024-22640 (#712) + +Add possessive quantifiers to the regex to prevent catastrophic backtracking. + +Bug: https://github.com/zunak/CVE-2024-22640 +Origin: upstream, https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679 +--- + include/tcpdf_colors.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/tcpdf_colors.php b/include/tcpdf_colors.php +index 7f337f3..5a51594 100644 +--- a/include/tcpdf_colors.php ++++ b/include/tcpdf_colors.php +@@ -275,7 +275,7 @@ class TCPDF_COLORS { + $color = strtolower($color); + // check for javascript color array syntax + if (strpos($color, '[') !== false) { +- if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\]]/', $color, $m) > 0) { ++ if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\]]/', $color, $m) > 0) { + $returncolor = array(); + switch ($m[1]) { + case 'cmyk': { +-- +2.39.5 + diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch --- tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch 2025-05-15 22:50:03.000000000 -0300 @@ -0,0 +1,25 @@ +From 17fe9597fb31d3d08c0f02a03338928ab8bcf0b5 Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Sat, 26 Oct 2024 13:08:26 +0100 +Subject: [PATCH] Update regexp to fix CVE-2024-22641 + +Bug-Debian: https://bugs.debian.org/1072528 +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5 + +--- + tcpdf.php | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Index: tcpdf/tcpdf.php +=================================================================== +--- tcpdf.orig/tcpdf.php ++++ tcpdf/tcpdf.php +@@ -23284,7 +23284,7 @@ Putting 1 is equivalent to putting 0 and + $text_color = TCPDF_COLORS::convertHTMLColorToDec($svgstyle['text-color'], $this->spot_colors); + $this->setTextColorArray($text_color); + // clip +- if (preg_match('/rect\(([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)\)/si', $svgstyle['clip'], $regs)) { ++ if (preg_match('/rect\(([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)\)/si', $svgstyle['clip'], $regs)) { + $top = (isset($regs[1])?$this->getHTMLUnitToUnits($regs[1], 0, $this->svgunit, false):0); + $right = (isset($regs[2])?$this->getHTMLUnitToUnits($regs[2], 0, $this->svgunit, false):0); + $bottom = (isset($regs[3])?$this->getHTMLUnitToUnits($regs[3], 0, $this->svgunit, false):0); diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch 2025-05-18 23:25:29.000000000 -0300 @@ -0,0 +1,255 @@ +Description: Fix for CVE-2024-32489: mishandled calls that use HTML + This patch is extracted from upstream commit 82fc97b "Squash multiple fixes", + by nicolaasuni <[email protected]>, taking only changes relevant to + CVE-2024-32489. +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32489 +Author: Santiago Ruano Rincón <[email protected]> + +Index: tcpdf/tcpdf.php +=================================================================== +--- tcpdf.orig/tcpdf.php ++++ tcpdf/tcpdf.php +@@ -836,6 +836,13 @@ class TCPDF { + */ + protected $file_id; + ++ /** ++ * Internal secret used to encrypt data. ++ * @protected ++ * @since 6.7.4 (2024-03-21) ++ */ ++ protected $hash_key; ++ + // --- bookmark --- + + /** +@@ -1878,6 +1885,7 @@ class TCPDF { + // set file ID for trailer + $serformat = (is_array($format) ? json_encode($format) : $format); + $this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding)); ++ $this->hash_key = hash_hmac('sha256', TCPDF_STATIC::getRandomSeed($this->file_id), TCPDF_STATIC::getRandomSeed('TCPDF'), false); + $this->font_obj_ids = array(); + $this->page_obj_id = array(); + $this->form_obj_id = array(); +@@ -17194,42 +17202,60 @@ class TCPDF { + } + + /** +- * Return an hash code used to ensure that the serialized data has been generated by this TCPDF instance. +- * @param string $data serialized data +- * @return string +- * @public static ++ * Calculates the hash value of the given data. ++ * ++ * @param string $data The data to be hashed. ++ * @return string The hashed value of the data. + */ +- protected function getHashForTCPDFtagParams($data) { +- return md5(strlen($data).$this->file_id.$data); ++ protected function hashTCPDFtag($data) { ++ return hash_hmac('sha256', $data, $this->hash_key, false); + } + + /** +- * Serialize an array of parameters to be used with TCPDF tag in HTML code. +- * @param array $data parameters array +- * @return string containing serialized data ++ * Serialize data to be used with TCPDF tag in HTML code. ++ * @param string $method TCPDF method name ++ * @param array $params Method parameters ++ * @return string Serialized data + * @public static + */ +- public function serializeTCPDFtagParameters($data) { ++ public function serializeTCPDFtag($method, $params=array()) { ++ $data = array('m' => $method, 'p' => $params); + $encoded = urlencode(json_encode($data)); +- return $this->getHashForTCPDFtagParams($encoded).$encoded; ++ $hash = $this->hashTCPDFtag($encoded); ++ return strlen($hash).'+'.$hash.'+'.$encoded; + } + + /** +- * Unserialize parameters to be used with TCPDF tag in HTML code. ++ * Unserialize data to be used with TCPDF tag in HTML code. + * @param string $data serialized data + * @return array containing unserialized data + * @protected static + */ +- protected function unserializeTCPDFtagParameters($data) { +- $hash = substr($data, 0, 32); +- $encoded = substr($data, 32); +- if ($hash != $this->getHashForTCPDFtagParams($encoded)) { ++ protected function unserializeTCPDFtag($data) { ++ $hpos = strpos($data, '+'); ++ $hlen = intval(substr($data, 0, $hpos)); ++ $hash = substr($data, $hpos + 1, $hlen); ++ $encoded = substr($data, $hpos + 2 + $hlen); ++ if ($hash != $this->hashTCPDFtag($encoded)) { + $this->Error('Invalid parameters'); + } + return json_decode(urldecode($encoded), true); + } + + /** ++ * Check if a TCPDF tag is allowed ++ * @param string $method TCPDF method name ++ * @return boolean ++ * @protected ++ */ ++ protected function allowedTCPDFtag($method) { ++ if (defined('K_ALLOWED_TCPDF_TAGS')) { ++ return (strpos(K_ALLOWED_TCPDF_TAGS, '|'.$method.'|') !== false); ++ } ++ return false; ++ } ++ ++ /** + * Prints a cell (rectangular area) with optional borders, background color and html text string. + * The upper-left corner of the cell corresponds to the current position. After the call, the current position moves to the right or to the next line.<br /> + * If automatic page breaking is enabled and the cell goes beyond the limit, a page break is done before outputting. +@@ -19504,17 +19530,14 @@ Putting 1 is equivalent to putting 0 and + case 'tcpdf': { + if (defined('K_TCPDF_CALLS_IN_HTML') AND (K_TCPDF_CALLS_IN_HTML === true)) { + // Special tag used to call TCPDF methods +- if (isset($tag['attribute']['method'])) { +- $tcpdf_method = $tag['attribute']['method']; +- if (method_exists($this, $tcpdf_method)) { +- if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) { +- $params = $this->unserializeTCPDFtagParameters($tag['attribute']['params']); +- call_user_func_array(array($this, $tcpdf_method), $params); +- } else { +- $this->$tcpdf_method(); +- } +- $this->newline = true; ++ // This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file. ++ // Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code. ++ if (!empty($tag['attribute']['data'])) { ++ $tcpdf_tag_data = $this->unserializeTCPDFtag($tag['attribute']['data']); ++ if ($this->allowedTCPDFtag($tcpdf_tag_data['m'])) { ++ call_user_func_array(array($this, $tcpdf_tag_data['m']), $tcpdf_tag_data['p']); + } ++ $this->newline = true; + } + } + break; +Index: tcpdf/config/tcpdf_config.php +=================================================================== +--- tcpdf.orig/config/tcpdf_config.php ++++ tcpdf/config/tcpdf_config.php +@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true); + define('K_TCPDF_CALLS_IN_HTML', false); + + /** ++ * List of TCPDF methods that are allowed to be called using HTML syntax. ++ * Note: each method name must end with surrounded with | (pipe) character. ++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true. ++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content. ++ */ ++define('K_ALLOWED_TCPDF_TAGS', ''); ++ ++/** + * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. + */ + define('K_TCPDF_THROW_EXCEPTION_ERROR', false); +Index: tcpdf/examples/example_049.php +=================================================================== +--- tcpdf.orig/examples/example_049.php ++++ tcpdf/examples/example_049.php +@@ -2,7 +2,7 @@ + //============================================================+ + // File name : example_049.php + // Begin : 2009-04-03 +-// Last Update : 2014-12-10 ++// Last Update : 2024-03-18 + // + // Description : Example 049 for TCPDF class + // WriteHTML with TCPDF callback functions +@@ -78,11 +78,11 @@ $pdf->AddPage(); + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + IMPORTANT: +-If you are printing user-generated content, tcpdf tag can be unsafe. +-You can disable this tag by setting to false the K_TCPDF_CALLS_IN_HTML +-constant on TCPDF configuration file. ++If you are printing user-generated content, the tcpdf tag should be considered unsafe. ++This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file. ++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code. + +-For security reasons, the parameters for the 'params' attribute of TCPDF ++For security reasons, the parameters for the 'params' attribute of TCPDF + tag must be prepared as an array and encoded with the + serializeTCPDFtagParameters() method (see the example below). + +@@ -91,23 +91,25 @@ serializeTCPDFtagParameters() method (se + + $html = '<h1>Test TCPDF Methods in HTML</h1> + <h2 style="color:red;">IMPORTANT:</h2> +-<span style="color:red;">If you are using user-generated content, the tcpdf tag can be unsafe.<br /> +-You can disable this tag by setting to false the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span> ++<span style="color:red;">If you are using user-generated content, the tcpdf tag should be considered unsafe.<br /> ++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.<br /> ++This feature is disabled by default by the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span> + <h2>write1DBarcode method in HTML</h2>'; + +-$params = $pdf->serializeTCPDFtagParameters(array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N')); +-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />'; ++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N')); ++$html .= '<tcpdf data="'.$data.'" />'; + +-$params = $pdf->serializeTCPDFtagParameters(array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N')); +-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />'; ++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N')); ++$html .= '<tcpdf data="'.$data.'" />'; + +-$html .= '<tcpdf method="AddPage" /><h2>Graphic Functions</h2>'; ++$data = $pdf->serializeTCPDFtag('AddPage'); ++$html .= '<tcpdf data="'.$data.'" /><h2>Graphic Functions</h2>'; + +-$params = $pdf->serializeTCPDFtagParameters(array(0)); +-$html .= '<tcpdf method="SetDrawColor" params="'.$params.'" />'; ++$data = $pdf->serializeTCPDFtag('SetDrawColor', array(0)); ++$html .= '<tcpdf data="'.$data.'" />'; + +-$params = $pdf->serializeTCPDFtagParameters(array(50, 50, 40, 10, 'DF', array(), array(0,128,255))); +-$html .= '<tcpdf method="Rect" params="'.$params.'" />'; ++$data = $pdf->serializeTCPDFtag('Rect', array(50, 50, 40, 10, 'DF', array(), array(0,128,255))); ++$html .= '<tcpdf data="'.$data.'" />'; + + + // output the HTML content +Index: tcpdf/tcpdf_autoconfig.php +=================================================================== +--- tcpdf.orig/tcpdf_autoconfig.php ++++ tcpdf/tcpdf_autoconfig.php +@@ -228,6 +228,10 @@ if (!defined('K_TCPDF_CALLS_IN_HTML')) { + define('K_TCPDF_CALLS_IN_HTML', false); + } + ++if (!defined('K_ALLOWED_TCPDF_TAGS')) { ++ define('K_ALLOWED_TCPDF_TAGS', ''); ++} ++ + if (!defined('K_TCPDF_THROW_EXCEPTION_ERROR')) { + define('K_TCPDF_THROW_EXCEPTION_ERROR', false); + } +Index: tcpdf/examples/config/tcpdf_config_alt.php +=================================================================== +--- tcpdf.orig/examples/config/tcpdf_config_alt.php ++++ tcpdf/examples/config/tcpdf_config_alt.php +@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true); + define('K_TCPDF_CALLS_IN_HTML', true); + + /** ++ * List of TCPDF methods that are allowed to be called using HTML syntax. ++ * Note: each method name must end with surrounded with | (pipe) character. ++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true. ++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content. ++ */ ++define('K_ALLOWED_TCPDF_TAGS', '|AddPage|Rect|SetDrawColor|write1DBarcode|'); ++ ++/** + * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. + */ + define('K_TCPDF_THROW_EXCEPTION_ERROR', false); diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch 2025-05-19 23:34:21.000000000 -0300 @@ -0,0 +1,91 @@ +From bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Sun, 6 Oct 2024 11:38:38 +0100 +Subject: [PATCH] Forbid access to parent folder in HTML images + +Bug-Debian: https://bugs.debian.org/1088332 +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b +--- + CHANGELOG.TXT | 3 +++ + VERSION | 2 +- + composer.json | 2 +- + include/tcpdf_static.php | 2 +- + tcpdf.php | 53 +++++++++++++++++++++------------------- + 5 files changed, 34 insertions(+), 28 deletions(-) + +Index: tcpdf/tcpdf.php +=================================================================== +--- tcpdf.orig/tcpdf.php ++++ tcpdf/tcpdf.php +@@ -18969,29 +18969,29 @@ class TCPDF { + $this->setLineWidth($hrHeight); + + $lineStyle = array(); +- if (isset($tag['fgcolor'])) { +- $lineStyle['color'] = $tag['fgcolor']; +- } +- +- if (isset($tag['fgcolor'])) { +- $lineStyle['color'] = $tag['fgcolor']; +- } +- +- if (isset($tag['style']['cap'])) { +- $lineStyle['cap'] = $tag['style']['cap']; +- } +- +- if (isset($tag['style']['join'])) { +- $lineStyle['join'] = $tag['style']['join']; +- } +- +- if (isset($tag['style']['dash'])) { +- $lineStyle['dash'] = $tag['style']['dash']; +- } +- +- if (isset($tag['style']['phase'])) { +- $lineStyle['phase'] = $tag['style']['phase']; +- } ++ if (isset($tag['fgcolor'])) { ++ $lineStyle['color'] = $tag['fgcolor']; ++ } ++ ++ if (isset($tag['fgcolor'])) { ++ $lineStyle['color'] = $tag['fgcolor']; ++ } ++ ++ if (isset($tag['style']['cap'])) { ++ $lineStyle['cap'] = $tag['style']['cap']; ++ } ++ ++ if (isset($tag['style']['join'])) { ++ $lineStyle['join'] = $tag['style']['join']; ++ } ++ ++ if (isset($tag['style']['dash'])) { ++ $lineStyle['dash'] = $tag['style']['dash']; ++ } ++ ++ if (isset($tag['style']['phase'])) { ++ $lineStyle['phase'] = $tag['style']['phase']; ++ } + + $lineStyle = array_filter($lineStyle); + +@@ -19018,11 +19018,14 @@ class TCPDF { + } else if (preg_match('@^data:image/([^;]*);base64,(.*)@', $imgsrc, $reg)) { + $imgsrc = '@'.base64_decode($reg[2]); + $type = $reg[1]; ++ } elseif (str_contains($imgsrc, '../')) { ++ // accessing parent folders is not allowed ++ break; + } elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') { +- // get image type from a local file path +- $imgsrc = substr($imgsrc, 7); +- $type = TCPDF_IMAGES::getImageFileType($imgsrc); +- } else { ++ // get image type from a local file path ++ $imgsrc = substr($imgsrc, 7); ++ $type = TCPDF_IMAGES::getImageFileType($imgsrc); ++ } else { + if (($imgsrc[0] === '/') AND !empty($_SERVER['DOCUMENT_ROOT']) AND ($_SERVER['DOCUMENT_ROOT'] != '/')) { + // fix image path + $findroot = strpos($imgsrc, $_SERVER['DOCUMENT_ROOT']); diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch 2025-05-19 23:34:58.000000000 -0300 @@ -0,0 +1,26 @@ +From c9f41cbb84880bdb4fc3e0a9d287214d1ac4d7f4 Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Mon, 23 Dec 2024 12:55:00 +0000 +Subject: [PATCH] Sanitize font-family attribute. + +Bug-Debian: https://bugs.debian.org/1091685 +--- + tcpdf.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tcpdf.php b/tcpdf.php +index 7afe65b..e364c3b 100644 +--- a/tcpdf.php ++++ b/tcpdf.php +@@ -23486,7 +23486,7 @@ class TCPDF { + if (preg_match('/font-family[\s]*:[\s]*([^\;\"]*)/si', $svgstyle['font'], $regs)) { + $font_family = $this->getFontFamilyName($regs[1]); + } else { +- $font_family = $svgstyle['font-family']; ++ $font_family = $this->getFontFamilyName($svgstyle['font-family']); + } + if (preg_match('/font-size[\s]*:[\s]*([^\s\;\"]*)/si', $svgstyle['font'], $regs)) { + $font_size = trim($regs[1]); +-- +2.39.5 + diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch 2025-05-19 23:35:44.000000000 -0300 @@ -0,0 +1,129 @@ +From a0a02efe487cc39bd5223359e916dbeafb5cd6fe Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Mon, 23 Dec 2024 12:43:22 +0000 +Subject: [PATCH] Add some addTTFfont fixes from tc-lib-pdf-font + +Bug-Debian: https://bugs.debian.org/1091686 +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/a0a02efe487cc39bd5223359e916dbeafb5cd6fe +--- + CHANGELOG.TXT | 1 + + include/tcpdf_fonts.php | 43 +++++++++++++++++++++-------------------- + 2 files changed, 23 insertions(+), 21 deletions(-) + +Index: tcpdf/include/tcpdf_fonts.php +=================================================================== +--- tcpdf.orig/include/tcpdf_fonts.php ++++ tcpdf/include/tcpdf_fonts.php +@@ -1,13 +1,13 @@ + <?php + //============================================================+ + // File name : tcpdf_fonts.php +-// Version : 1.1.0 ++// Version : 1.1.1 + // Begin : 2008-01-01 +-// Last Update : 2014-12-10 ++// Last Update : 2024-12-23 + // Author : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - [email protected] + // License : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html) + // ------------------------------------------------------------------- +-// Copyright (C) 2008-2014 Nicola Asuni - Tecnick.com LTD ++// Copyright (C) 2008-2024 Nicola Asuni - Tecnick.com LTD + // + // This file is part of TCPDF software library. + // +@@ -42,7 +42,7 @@ + * @class TCPDF_FONTS + * Font methods for TCPDF library. + * @package com.tecnick.tcpdf +- * @version 1.1.0 ++ * @version 1.1.1 + * @author Nicola Asuni - [email protected] + */ + class TCPDF_FONTS { +@@ -191,29 +191,30 @@ class TCPDF_FONTS { + fclose($fp); + // get font info + $fmetric['Flags'] = $flags; +- preg_match ('#/FullName[\s]*\(([^\)]*)#', $font, $matches); ++ preg_match ('#/FullName[\s]*+\(([^\)]*+)#', $font, $matches); + $fmetric['name'] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $matches[1]); +- preg_match('#/FontBBox[\s]*{([^}]*)#', $font, $matches); +- $fmetric['bbox'] = trim($matches[1]); +- $bv = explode(' ', $fmetric['bbox']); +- $fmetric['Ascent'] = intval($bv[3]); +- $fmetric['Descent'] = intval($bv[1]); +- preg_match('#/ItalicAngle[\s]*([0-9\+\-]*)#', $font, $matches); ++ preg_match('#/FontBBox[\s]*+{([^}]*+)#', $font, $matches); ++ $rawbvl = explode(' ', trim($matches[1])); ++ $bvl = [(int) $rawbvl[0], (int) $rawbvl[1], (int) $rawbvl[2], (int) $rawbvl[3]]; ++ $fmetric['bbox'] = implode(' ', $bvl); ++ $fmetric['Ascent'] = $bvl[3]; ++ $fmetric['Descent'] = $bvl[1]; ++ preg_match('#/ItalicAngle[\s]*+([0-9\+\-]*+)#', $font, $matches); + $fmetric['italicAngle'] = intval($matches[1]); + if ($fmetric['italicAngle'] != 0) { + $fmetric['Flags'] |= 64; + } +- preg_match('#/UnderlinePosition[\s]*([0-9\+\-]*)#', $font, $matches); ++ preg_match('#/UnderlinePosition[\s]*+([0-9\+\-]*+)#', $font, $matches); + $fmetric['underlinePosition'] = intval($matches[1]); +- preg_match('#/UnderlineThickness[\s]*([0-9\+\-]*)#', $font, $matches); ++ preg_match('#/UnderlineThickness[\s]*+([0-9\+\-]*+)#', $font, $matches); + $fmetric['underlineThickness'] = intval($matches[1]); +- preg_match('#/isFixedPitch[\s]*([^\s]*)#', $font, $matches); ++ preg_match('#/isFixedPitch[\s]*+([^\s]*+)#', $font, $matches); + if ($matches[1] == 'true') { + $fmetric['Flags'] |= 1; + } + // get internal map + $imap = array(); +- if (preg_match_all('#dup[\s]([0-9]+)[\s]*/([^\s]*)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) { ++ if (preg_match_all('#dup[\s]([0-9]+)[\s]*+/([^\s]*+)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) { + foreach ($fmap as $v) { + $imap[$v[2]] = $v[1]; + } +@@ -229,22 +230,22 @@ class TCPDF_FONTS { + $eplain .= chr($chr ^ ($r >> 8)); + $r = ((($chr + $r) * $c1 + $c2) % 65536); + } +- if (preg_match('#/ForceBold[\s]*([^\s]*)#', $eplain, $matches) > 0) { ++ if (preg_match('#/ForceBold[\s]*+([^\s]*+)#', $eplain, $matches) > 0) { + if ($matches[1] == 'true') { + $fmetric['Flags'] |= 0x40000; + } + } +- if (preg_match('#/StdVW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) { ++ if (preg_match('#/StdVW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) { + $fmetric['StemV'] = intval($matches[1]); + } else { + $fmetric['StemV'] = 70; + } +- if (preg_match('#/StdHW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) { ++ if (preg_match('#/StdHW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) { + $fmetric['StemH'] = intval($matches[1]); + } else { + $fmetric['StemH'] = 30; + } +- if (preg_match('#/BlueValues[\s]*\[([^\]]*)#', $eplain, $matches) > 0) { ++ if (preg_match('#/BlueValues[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) { + $bv = explode(' ', $matches[1]); + if (count($bv) >= 6) { + $v1 = intval($bv[2]); +@@ -265,7 +266,7 @@ class TCPDF_FONTS { + $fmetric['CapHeight'] = 700; + } + // get the number of random bytes at the beginning of charstrings +- if (preg_match('#/lenIV[\s]*([0-9]*)#', $eplain, $matches) > 0) { ++ if (preg_match('#/lenIV[\s]*+([\d]*+)#', $eplain, $matches) > 0) { + $lenIV = intval($matches[1]); + } else { + $lenIV = 4; +@@ -273,7 +274,7 @@ class TCPDF_FONTS { + $fmetric['Leading'] = 0; + // get charstring data + $eplain = substr($eplain, (strpos($eplain, '/CharStrings') + 1)); +- preg_match_all('#/([A-Za-z0-9\.]*)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER); ++ preg_match_all('#/([A-Za-z0-9\.]*+)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER); + if (!empty($enc) AND isset(TCPDF_FONT_DATA::$encmap[$enc])) { + $enc_map = TCPDF_FONT_DATA::$encmap[$enc]; + } else { diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch 2025-05-19 23:39:30.000000000 -0300 @@ -0,0 +1,26 @@ +From d54b97cec33f4f1a5ad81119a82085cad93cec89 Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Mon, 23 Dec 2024 12:15:14 +0000 +Subject: [PATCH] Use strict time-constant function to compare TCPDF-tag + hashes. + +Bug-Debian: https://bugs.debian.org/1091688 +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89 +--- + CHANGELOG.TXT | 1 + + tcpdf.php | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +Index: tcpdf/tcpdf.php +=================================================================== +--- tcpdf.orig/tcpdf.php ++++ tcpdf/tcpdf.php +@@ -17236,7 +17236,7 @@ class TCPDF { + $hlen = intval(substr($data, 0, $hpos)); + $hash = substr($data, $hpos + 1, $hlen); + $encoded = substr($data, $hpos + 2 + $hlen); +- if ($hash != $this->hashTCPDFtag($encoded)) { ++ if (!hash_equals( $this->hashTCPDFtag($encoded), $hash)) { + $this->Error('Invalid parameters'); + } + return json_decode(urldecode($encoded), true); diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch --- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch 1969-12-31 21:00:00.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch 2025-05-19 23:42:45.000000000 -0300 @@ -0,0 +1,24 @@ +From 11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1 Mon Sep 17 00:00:00 2001 +From: nicolaasuni <[email protected]> +Date: Mon, 23 Dec 2024 12:12:07 +0000 +Subject: [PATCH] Escape error message + +Bug-Debian: https://bugs.debian.org/1091689 +Origin: backport, https://github.com/tecnickcom/TCPDF/commit/11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1 +--- + CHANGELOG.TXT | 2 +- + tcpdf.php | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +Index: tcpdf/tcpdf.php +=================================================================== +--- tcpdf.orig/tcpdf.php ++++ tcpdf/tcpdf.php +@@ -3006,6 +3006,7 @@ class TCPDF { + public function Error($msg) { + // unset all class variables + $this->_destroy(true); ++ $msg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8'); + if (defined('K_TCPDF_THROW_EXCEPTION_ERROR') AND !K_TCPDF_THROW_EXCEPTION_ERROR) { + die('<strong>TCPDF ERROR: </strong>'.$msg); + } else { diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/series tcpdf-6.6.2+dfsg1/debian/patches/series --- tcpdf-6.6.2+dfsg1/debian/patches/series 2022-12-23 17:08:41.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/patches/series 2025-05-19 23:45:43.000000000 -0300 @@ -1 +1,9 @@ 0001-Update-the-composer-example-to-use-the-Debian-includ.patch +0001-fix-CSV-2024-22640-712.patch +0001-Update-regexp-to-fix-CVE-2024-22641.patch +CVE-2024-32489.patch +CVE-2024-51058.patch +CVE-2024-56519.patch +CVE-2024-56520.patch +CVE-2024-56522.patch +CVE-2024-56527.patch diff -Nru tcpdf-6.6.2+dfsg1/debian/rules tcpdf-6.6.2+dfsg1/debian/rules --- tcpdf-6.6.2+dfsg1/debian/rules 2022-12-16 18:19:19.000000000 -0300 +++ tcpdf-6.6.2+dfsg1/debian/rules 2025-05-15 22:49:47.000000000 -0300 @@ -18,4 +18,5 @@ --blacklist mc_tcpdf \ --blacklist mypdf \ --blacklist toc_tcpdf \ + --exclude */.pc/* \ --output autoload.php .
signature.asc
Description: PGP signature
