Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Control: tags -1 + pending On Thu, 2016-03-24 at 22:17 +0100, Markus Frosch wrote: > On 23.03.2016 21:13, Adam D. Barratt wrote: > > I'd prefer a slightly more verbose changelog if possible, in terms of > > the actual issues. In any case, please go ahead. > > I've updated changelog and uploaded to jessie. Flagged for acceptance. Regards, Adam
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On 23.03.2016 21:13, Adam D. Barratt wrote: > I'd prefer a slightly more verbose changelog if possible, in terms of > the actual issues. In any case, please go ahead. I've updated changelog and uploaded to jessie. RM request #816037 should be closed, since its superseeded by this upload. Thanks :) Markus -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de signature.asc Description: OpenPGP digital signature
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On Thu, 2016-03-24 at 22:17 +0100, Markus Frosch wrote: > RM request #816037 should be closed, since its superseeded by this upload. It was, yesterday. Regards, Adam
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Control: tags -1 + confirmed On Sat, 2016-03-19 at 18:44 +0100, Markus Frosch wrote: > On 19.03.2016 17:57, Julien Cristau wrote: > > Yes please. > > Here is the current debdiff. +php-dompdf (0.6.1+dfsg-2+deb8u1) stable-proposed-updates; urgency=medium "jessie" is preferable. + * Non-maintainer upload. + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) + +Fixes CVE: +* CVE-2014-5011 +* CVE-2014-5012 +* CVE-2014-5013 + +This update bundles CVE hotfixes from 0.6.2 upstream release. I'd prefer a slightly more verbose changelog if possible, in terms of the actual issues. In any case, please go ahead. Regards, Adam
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On 19.03.2016 17:57, Julien Cristau wrote: > Yes please. Here is the current debdiff. Cheers Markus Frosch -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de diff -Nru php-dompdf-0.6.1+dfsg/debian/changelog php-dompdf-0.6.1+dfsg/debian/changelog --- php-dompdf-0.6.1+dfsg/debian/changelog 2014-04-23 21:24:29.0 +0200 +++ php-dompdf-0.6.1+dfsg/debian/changelog 2016-03-19 18:42:01.0 +0100 @@ -1,3 +1,17 @@ +php-dompdf (0.6.1+dfsg-2+deb8u1) stable-proposed-updates; urgency=medium + + * Non-maintainer upload. + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) + +Fixes CVE: +* CVE-2014-5011 +* CVE-2014-5012 +* CVE-2014-5013 + +This update bundles CVE hotfixes from 0.6.2 upstream release. + + -- Markus FroschSat, 19 Mar 2016 18:40:34 +0100 + php-dompdf (0.6.1+dfsg-2) unstable; urgency=medium * Document security issue fixed in last upstream version, and upload to diff -Nru php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch --- php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch 1970-01-01 01:00:00.0 +0100 +++ php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch 2016-03-19 18:36:53.0 +0100 @@ -0,0 +1,713 @@ +Description: Hotfix based on 0.6.2 + This patch fixes: + * CVE-2014-2383 + * CVE-2014-5011 + * CVE-2014-5012 + * CVE-2014-5013 + . + The patch bundles code changes from 0.6.2 +Author: Brian Sweeney +Origin: upstream +Applied-Upstream: 0.6.2 +Reviewed-by: Markus Frosch +Last-Update: 2016-02-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/dompdf.php b/dompdf.php +@@ -130,6 +130,8 @@ + $sapi = php_sapi_name(); + $options = array(); + ++$dompdf = new DOMPDF(); ++ + switch ( $sapi ) { + + case "cli": +@@ -169,7 +171,7 @@ + if ( $file === "-" ) + $outfile = "dompdf_out.pdf"; + else +- $outfile = str_ireplace(array(".html", ".htm", ".php"), "", $file) . ".pdf"; ++ $outfile = str_ireplace(array(".html", ".htm"), "", $file) . ".pdf"; + } + + if ( isset($opts["v"]) ) +@@ -194,6 +196,8 @@ + + default: + ++ $dompdf->set_option('enable_php', false); ++ + if ( isset($_GET["input_file"]) ) + $file = rawurldecode($_GET["input_file"]); + else +@@ -220,26 +224,12 @@ + + $file_parts = explode_url($file); + +- /* Check to see if the input file is local and, if so, that the base path falls within that specified by DOMDPF_CHROOT */ +- if(($file_parts['protocol'] == '' || $file_parts['protocol'] === 'file://')) { +-$file = realpath($file); +-if ( strpos($file, DOMPDF_CHROOT) !== 0 ) { +- throw new DOMPDF_Exception("Permission denied on $file. The file could not be found under the directory specified by DOMPDF_CHROOT."); +-} +- } +- +- if($file_parts['protocol'] === 'php://') { +-throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams."); +- } +- + $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file + $save_file = false; # Don't save the file + + break; + } + +-$dompdf = new DOMPDF(); +- + if ( $file === "-" ) { + $str = ""; + while ( !feof(STDIN) ) +--- a/dompdf_config.custom.inc.php b/dompdf_config.custom.inc.php +@@ -1,6 +1,7 @@ +-https://github.com/dompdf/dompdf/wiki ++ */ ++//define("DOMPDF_CHROOT", DOMPDF_DIR); ++//define("DOMPDF_ENABLE_PHP", false); ++//define("DOMPDF_ENABLE_REMOTE", false); +--- a/include/abstract_renderer.cls.php b/include/abstract_renderer.cls.php +@@ -100,7 +100,7 @@ + //Therefore read dimension directly from file, instead of creating gd object first. + //$img_w = imagesx($src); $img_h = imagesy($src); + +-list($img_w, $img_h) = dompdf_getimagesize($img); ++list($img_w, $img_h) = dompdf_getimagesize($img, $this->_dompdf->get_http_context()); + if (!isset($img_w) || $img_w == 0 || !isset($img_h) || $img_h == 0) { + return; + } +--- a/include/cpdf_adapter.cls.php b/include/cpdf_adapter.cls.php +@@ -604,7 +604,7 @@ + } + + function image($img, $x, $y, $w, $h, $resolution = "normal") { +-list($width, $height, $type) = dompdf_getimagesize($img); ++list($width, $height, $type) = dompdf_getimagesize($img, $this->_dompdf->get_http_context()); + + $debug_png = $this->_dompdf->get_option("debug_png"); + +--- a/include/dompdf.cls.php b/include/dompdf.cls.php +@@ -184,6 +184,25 @@ +* @var bool +*/ + private $_quirksmode = false; ++ ++ /** ++ * Protocol whitelist ++ * ++ * Protocols and PHP wrappers allowed in URLs. Full support is not ++ * guarantee for the protocols/wrappers contained in this array. ++ * ++ * @var array ++ */ ++ private $_allowed_protocols = array(null, "", "file://", "http://;, "https://;); ++ ++ /** ++ * Local file
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On Tue, Mar 15, 2016 at 11:13:19 +0100, Markus Frosch wrote: > I can update the diff if you like, difference only in the changelog and patch > summary. > Yes please. Cheers, Julien
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On 14.03.2016 23:10, Moritz Mühlenhoff wrote: >> CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is >> > that wrong? >> > >> > https://security-tracker.debian.org/tracker/CVE-2014-2383 >> > https://bugs.debian.org/745619 > Markus? Hi Moritz, as I said: Mail from Sun, 28 Feb 2016 19:51:01 +0100 > Thats seems to be correct, upstream mentioned it on 0.6.2 as well. > > I guess because CVE-2014-5013 is a follow-up for that. > > Will remove it from the changelog. I'd love to go forward mit the PU, if nobody has objections. Thats the part I was waiting on... I can update the diff if you like, difference only in the changelog and patch summary. Cheers Markus Frosch -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de signature.asc Description: OpenPGP digital signature
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On Sun, Feb 28, 2016 at 07:42:46PM +0100, Salvatore Bonaccorso wrote: > Hi Markus, > > Just one note: > > On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote: > > +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium > > + > > + * Non-maintainer upload. > > + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) > > + > > +Fixes CVE: > > +* CVE-2014-2383 > > +* CVE-2014-5011 > > +* CVE-2014-5012 > > +* CVE-2014-5013 > > CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is > that wrong? > > https://security-tracker.debian.org/tracker/CVE-2014-2383 > https://bugs.debian.org/745619 Markus? Cheers, Moritz
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
On 28.02.2016 19:42, Salvatore Bonaccorso wrote: > CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is > that wrong? > > https://security-tracker.debian.org/tracker/CVE-2014-2383 > https://bugs.debian.org/745619 Thats seems to be correct, upstream mentioned it on 0.6.2 as well. I guess because CVE-2014-5013 is a follow-up for that. Will remove it from the changelog. Cheers Markus Frosch -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de signature.asc Description: OpenPGP digital signature
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Hi Markus, Just one note: On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote: > +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium > + > + * Non-maintainer upload. > + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) > + > +Fixes CVE: > +* CVE-2014-2383 > +* CVE-2014-5011 > +* CVE-2014-5012 > +* CVE-2014-5013 CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is that wrong? https://security-tracker.debian.org/tracker/CVE-2014-2383 https://bugs.debian.org/745619 Regards, Salvatore
Bug#816037: Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Hi Adam, On 28.02.2016 18:29, Adam D. Barratt wrote: > Well the RM's already been requested - see #816037. Could you please > sort out between you what's happening, and let us know? haven't seen that bug. I decided to take over and ITA yesterday, so that was after David's request. Since I still want to be the new maintainer, and just uploaded to unstable, I'd still prefer to keep. Unless the release team opposes that :) Cheers Markus Frosch -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de signature.asc Description: OpenPGP digital signature
Bug#816037: Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Control: tags 816198 + moreinfo On Sun, 2016-02-28 at 18:22 +0100, Markus Frosch wrote: > Hey release team, > I'd like to propose an update for jessie, that addresses 4 CVEs with > php-dompdf. > > Related package bug is #813849 > > Though php-dompdf is technically a leaf package, I'd prefer to ship a > update over a RM of the package from stable. Well the RM's already been requested - see #816037. Could you please sort out between you what's happening, and let us know? Regards, Adam
Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hey release team, I'd like to propose an update for jessie, that addresses 4 CVEs with php-dompdf. Related package bug is #813849 Though php-dompdf is technically a leaf package, I'd prefer to ship a update over a RM of the package from stable. Attached is a prepared debdiff of that update. Please review and let me know if you need anything in addition. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru php-dompdf-0.6.1+dfsg/debian/changelog php-dompdf-0.6.1+dfsg/debian/changelog --- php-dompdf-0.6.1+dfsg/debian/changelog 2014-04-23 21:24:29.0 +0200 +++ php-dompdf-0.6.1+dfsg/debian/changelog 2016-02-27 15:51:54.0 +0100 @@ -1,3 +1,18 @@ +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849) + +Fixes CVE: +* CVE-2014-2383 +* CVE-2014-5011 +* CVE-2014-5012 +* CVE-2014-5013 + +This update bundles CVE hotfixes from 0.6.2 upstream release. + + -- Markus FroschSat, 27 Feb 2016 15:48:10 +0100 + php-dompdf (0.6.1+dfsg-2) unstable; urgency=medium * Document security issue fixed in last upstream version, and upload to diff -Nru php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch --- php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch 1970-01-01 01:00:00.0 +0100 +++ php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch 2016-02-27 15:47:52.0 +0100 @@ -0,0 +1,713 @@ +Description: Hotfix based on 0.6.2 + This patch fixes: + * CVE-2014-2383 + * CVE-2014-5011 + * CVE-2014-5012 + * CVE-2014-5013 + . + The patch bundles code changes from 0.6.2 +Author: Brian Sweeney +Origin: upstream +Applied-Upstream: 0.6.2 +Reviewed-by: Markus Frosch +Last-Update: 2016-02-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/dompdf.php b/dompdf.php +@@ -130,6 +130,8 @@ + $sapi = php_sapi_name(); + $options = array(); + ++$dompdf = new DOMPDF(); ++ + switch ( $sapi ) { + + case "cli": +@@ -169,7 +171,7 @@ + if ( $file === "-" ) + $outfile = "dompdf_out.pdf"; + else +- $outfile = str_ireplace(array(".html", ".htm", ".php"), "", $file) . ".pdf"; ++ $outfile = str_ireplace(array(".html", ".htm"), "", $file) . ".pdf"; + } + + if ( isset($opts["v"]) ) +@@ -194,6 +196,8 @@ + + default: + ++ $dompdf->set_option('enable_php', false); ++ + if ( isset($_GET["input_file"]) ) + $file = rawurldecode($_GET["input_file"]); + else +@@ -220,26 +224,12 @@ + + $file_parts = explode_url($file); + +- /* Check to see if the input file is local and, if so, that the base path falls within that specified by DOMDPF_CHROOT */ +- if(($file_parts['protocol'] == '' || $file_parts['protocol'] === 'file://')) { +-$file = realpath($file); +-if ( strpos($file, DOMPDF_CHROOT) !== 0 ) { +- throw new DOMPDF_Exception("Permission denied on $file. The file could not be found under the directory specified by DOMPDF_CHROOT."); +-} +- } +- +- if($file_parts['protocol'] === 'php://') { +-throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams."); +- } +- + $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file + $save_file = false; # Don't save the file + + break; + } + +-$dompdf = new DOMPDF(); +- + if ( $file === "-" ) { + $str = ""; + while ( !feof(STDIN) ) +--- a/dompdf_config.custom.inc.php b/dompdf_config.custom.inc.php +@@ -1,6 +1,7 @@ +-https://github.com/dompdf/dompdf/wiki ++ */ ++//define("DOMPDF_CHROOT", DOMPDF_DIR); ++//define("DOMPDF_ENABLE_PHP", false); ++//define("DOMPDF_ENABLE_REMOTE", false); +--- a/include/abstract_renderer.cls.php b/include/abstract_renderer.cls.php +@@ -100,7 +100,7 @@ + //Therefore read dimension directly from file, instead of creating gd object first. + //$img_w = imagesx($src); $img_h = imagesy($src); + +-list($img_w, $img_h) = dompdf_getimagesize($img); ++list($img_w, $img_h) = dompdf_getimagesize($img, $this->_dompdf->get_http_context()); + if (!isset($img_w) || $img_w == 0 || !isset($img_h) || $img_h == 0) { + return; + } +--- a/include/cpdf_adapter.cls.php b/include/cpdf_adapter.cls.php +@@ -604,7 +604,7 @@ + } + + function image($img, $x, $y, $w, $h, $resolution = "normal") { +-list($width, $height, $type) = dompdf_getimagesize($img); ++