Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
I request permission to upload a fix of package php-tcpdf to fix security bug CVE-2015-3935 #814030 https://sourceforge.net/p/tcpdf/bugs/1005/ Fix is as simple as the following patch. Non regression tested with success on package "dolibarr" and "phpmyadmin". Description: Set default value of K_TCPDF_CALLS_IN_HTML to false. Author: Laurent Destailleur <[email protected]> Forwarded: not-needed Last-Update: 2013-07-29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/config/tcpdf_config.php +++ b/config/tcpdf_config.php @@ -210,7 +210,7 @@ * If true allows to call TCPDF methods using HTML syntax * IMPORTANT: For security reason, disable this feature if you are printing user HTML content. */ -define('K_TCPDF_CALLS_IN_HTML', true); +define('K_TCPDF_CALLS_IN_HTML', false); /** * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-46-generic (SMP w/8 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
