I made an error when copying and paste the CVE number in my first request. Bug number was correct, so #814030, but CVE related is CVE-2017-6100
Also, this is the full debdiff (i previously provided only the patch file): diff -Nru tcpdf-6.0.093+dfsg/debian/changelog tcpdf-6.0.093+dfsg/debian/ changelog --- tcpdf-6.0.093+dfsg/debian/changelog 2014-09-07 17:22:38.000000000 +0200 +++ tcpdf-6.0.093+dfsg/debian/changelog 2017-02-23 18:36:27.000000000 +0100 @@ -1,3 +1,9 @@ +tcpdf (6.0.093+dfsg-1+deb8u1) UNRELEASED; urgency=medium + + * Fix CVE-2017-6100 (Closes: #814030) + + -- Laurent Destailleur (eldy) <[email protected]> Wed, 22 Feb 2017 11:43:27 +0100 + tcpdf (6.0.093+dfsg-1) unstable; urgency=medium * New upstream release 6.0.093+dfsg diff -Nru tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_IN_HTML-to-false.patch tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch --- tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch 1970-01-01 01:00:00.000000000 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/default-K_TCPDF_CALLS_ IN_HTML-to-false.patch 2017-02-23 18:36:27.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Set default value of K_TCPDF_CALLS_IN_HTML to false. +Author: Laurent Destailleur <[email protected]> +Forwarded: not-needed +Last-Update: 2013-07-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/config/tcpdf_config.php ++++ b/config/tcpdf_config.php +@@ -210,7 +210,7 @@ + * If true allows to call TCPDF methods using HTML syntax + * IMPORTANT: For security reason, disable this feature if you are printing user HTML content. + */ +-define('K_TCPDF_CALLS_IN_HTML', true); ++define('K_TCPDF_CALLS_IN_HTML', false); + + /** + * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. diff -Nru tcpdf-6.0.093+dfsg/debian/patches/series tcpdf-6.0.093+dfsg/debian/patches/series --- tcpdf-6.0.093+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ tcpdf-6.0.093+dfsg/debian/patches/series 2017-02-23 18:36:27.000000000 +0100 @@ -0,0 +1 @@ +default-K_TCPDF_CALLS_IN_HTML-to-false.patch 2017-05-06 2:00 GMT+02:00 Debian Bug Tracking System <[email protected]> : > Thank you for filing a new Bug report with Debian. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Debian Release Team <[email protected]> > > If you wish to submit further information on this problem, please > send it to [email protected]. > > Please do not send mail to [email protected] unless you wish > to report a problem with the Bug-tracking system. > > -- > 861926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861926 > Debian Bug Tracking System > Contact [email protected] with problems > -- EMail: [email protected] Web: http://www.destailleur.fr ------------------------------------------------------------------------------------ Google+: https://plus.google.com/+LaurentDestailleur-Open-Source-Expert/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 ------------------------------------------------------------------------------------ * Dolibarr (Project leader): https://www.dolibarr.org (make a donation for Dolibarr project via Paypal: [email protected]) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: [email protected]) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
