Your message dated Mon, 18 Dec 2023 22:31:48 +0000
with message-id <[email protected]>
and subject line Bug#1058641: fixed in php-dompdf-svg-lib 0.5.1-1
has caused the Debian Bug report #1058641,
regarding php-dompdf-svg-lib: CVE-2023-50251 CVE-2023-50252
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1058641: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058641
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-dompdf-svg-lib
Version: 0.5.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for php-dompdf-svg-lib.
CVE-2023-50251[0]:
| php-svg-lib is an SVG file parsing / rendering library. Prior to
| version 0.5.1, when parsing the attributes passed to a `use` tag
| inside an svg document, an attacker can cause the system to go to an
| infinite recursion. Depending on the system configuration and attack
| pattern this could exhaust the memory available to the executing
| process and/or to the server itself. An attacker sending multiple
| request to a system to render the above payload can potentially
| cause resource exhaustion to the point that the system is unable to
| handle incoming request. Version 0.5.1 contains a patch for this
| issue.
CVE-2023-50252[1]:
| php-svg-lib is an SVG file parsing / rendering library. Prior to
| version 0.5.1, when handling `<use>` tag that references an
| `<image>` tag, it merges the attributes from the `<use>` tag to the
| `<image>` tag. The problem pops up especially when the `href`
| attribute from the `<use>` tag has not been sanitized. This can lead
| to an unsafe file read that can cause PHAR Deserialization
| vulnerability in PHP prior to version 8. Version 0.5.1 contains a
| patch for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50251
https://www.cve.org/CVERecord?id=CVE-2023-50251
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-ff5x-7qg5-vwf2
[1] https://security-tracker.debian.org/tracker/CVE-2023-50252
https://www.cve.org/CVERecord?id=CVE-2023-50252
https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: php-dompdf-svg-lib
Source-Version: 0.5.1-1
Done: William Desportes <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-dompdf-svg-lib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Desportes <[email protected]> (supplier of updated php-dompdf-svg-lib
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 18 Dec 2023 22:27:04 +0100
Source: php-dompdf-svg-lib
Architecture: source
Version: 0.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: William Desportes <[email protected]>
Closes: 1058641
Changes:
php-dompdf-svg-lib (0.5.1-1) unstable; urgency=medium
.
* New upstream version 0.5.1
- Fixes CVE-2023-50251, CVE-2023-50252
- Closes: #1058641
* Update gbp.conf
* Add Security-Contact to d/u/metadata
Checksums-Sha1:
d48413c82f1300e5a1c95fcc6033062bf4ab43f6 2195 php-dompdf-svg-lib_0.5.1-1.dsc
685d2b676ade52b4cc9d25e92cf1daffad170af7 56956
php-dompdf-svg-lib_0.5.1.orig.tar.xz
2acf8d33a31f716adbc352918a589c6354fcbf51 2856
php-dompdf-svg-lib_0.5.1-1.debian.tar.xz
bfc8c6d290533ea18e1d59b092e587d0f2dd17e9 9706
php-dompdf-svg-lib_0.5.1-1_source.buildinfo
Checksums-Sha256:
c64c9b905c5b97909c5543a876e409b2bb663af24971a8d50bd6e7a020d2da7a 2195
php-dompdf-svg-lib_0.5.1-1.dsc
45df7e74b183d5344e189b86a76fc37c5ad1ed4fbdc522a43c3fe0e10175876f 56956
php-dompdf-svg-lib_0.5.1.orig.tar.xz
eac68aed6aae5b4fb3d264dae2deec16f28a29e35b95de016a64acb65664f72a 2856
php-dompdf-svg-lib_0.5.1-1.debian.tar.xz
de21be4b8af75359566b78529800da1516ba8f7c9d91f9efe378b45086af57e3 9706
php-dompdf-svg-lib_0.5.1-1_source.buildinfo
Files:
13a7a3b24f8d3c574769ff65d65cb73e 2195 php optional
php-dompdf-svg-lib_0.5.1-1.dsc
ea1d689fbd4dbe27d727f416cf47a260 56956 php optional
php-dompdf-svg-lib_0.5.1.orig.tar.xz
79358cdb5c1588d99ecbe91b87f23fe5 2856 php optional
php-dompdf-svg-lib_0.5.1-1.debian.tar.xz
592ed02cb77e842b381c84e7a7a128c5 9706 php optional
php-dompdf-svg-lib_0.5.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExNkf3872tKPGU/14kKDvG4JRqIkFAmWAu1sACgkQkKDvG4JR
qIm4sA//fTCSUUPyq3exhyfOj0bWjzIrYDDr3iGT6FsYgMJ+vfp8uLo1rM76XlR3
DN5vH6dsigneOjuWUxnnXFhGWXg4CekVwmHJzOsfu+LGdSpKymyeWpif79McZKCl
PbeEl/LUopFsJimqD+v+CHaRp69K2+bNL2e0kfJVrEL1cOhlNSNc76DYSXhSLWK4
Cc0fh3k6ntl/sTx2hTj/+lFo5uydUc97hoRnJ6n8joHXsBxl+pYPLHjWvu+xtle3
YB4hi4jjlSQvMkWtzNLe3pYBChx+bWPR9dfEyLglYbYac5vYiMw7I8rpc65pHpUU
QqT658Pnw8rS60v4HBfoKLtH3mcsVF0hcUCYvxpy0rsUYW6b+S7yK61Rg7jwF/6g
C+KgMYvmyOVRf8aiO1OGPJGJhc5a2wXBUgGbl/rwQAs7WbIVCSKIDoQhla0wdJP6
Sm42eiZXOQV+9VhDlh5w9K34XTBQl+g2zrW6n6TmZrqulWajM4XX6MHTWArYO8Up
V9pAry84ua69C1ojNO+IsuUTP6ZlKCb7xtOw+GCuQ6BSHTkgaVldr7GF5b5Dxgda
/LCB6ztXclmuSiKgTp9qOIhKfY3804KcsLEJn/iGp9oFFkzYlKCY9DGxg63gBtiJ
zJFDxP4h0u0cwJLY7Z77qZxEQA4AUh2QpA9z75gTnkfMP8qgPEI=
=hIn7
-----END PGP SIGNATURE-----
--- End Message ---
