Package: php-dompdf Version: 0.6.0~beta3+dfsg0-1 Severity: normal Tags: security, fixed-upstream
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/ https://github.com/dompdf/dompdf/releases User is in risk if he/she has enabled DOMPDF_ENABLE_REMOTE in dompdf_config.inc.php, which is not recommended: 271 /** 272 * Enable remote file access 273 * 274 * If this setting is set to true, DOMPDF will access remote sites for 275 * images and CSS files as required. 276 * This is required for part of test case www/test/image_variants.html through www/examples.php 277 * 278 * Attention! 279 * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and 280 * allowing remote access to dompdf.php or on allowing remote html code to be passed to 281 * $dompdf = new DOMPDF(); $dompdf->load_html(...); 282 * This allows anonymous users to download legally doubtful internet content which on 283 * tracing back appears to being downloaded by your server, or allows malicious php code 284 * in remote html pages to be executed by your server with your account privileges. 285 * 286 * @var bool 287 */ 288 def("DOMPDF_ENABLE_REMOTE", false); Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did include only 90 characters (no line breaks). Low priority issue. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages php-dompdf depends on: ii fonts-dejavu 2.34-1 ii php-font-lib 0~20120210+dfsg-1 ii php5 5.5.11+dfsg-3 ii php5-cli 5.5.11+dfsg-3 ii sdop 0.80-1 php-dompdf recommends no packages. Versions of packages php-dompdf suggests: pn php-tcpdf <none> ii php5-cli 5.5.11+dfsg-3 pn php5-gd <none> -- no debconf information
signature.asc
Description: Digital signature
