Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:php-dompdf
[ Reason ] This version fix CVE-2023-50262: SVG file reference recursion validation issue. All other suites have this issue fixed. [ Impact ] They are susceptible to CVE-2023-50262 [ Tests ] I ran autopkgtest available in this package and was successful. [ Risks ] Not much. The patch is backported from version 2.0.4 and fitted without any fuzz. Plus the autopkgtest went fine. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x ] the issue is verified as fixed in unstable --abhijith
diff -Nru php-dompdf-2.0.3+dfsg/debian/changelog php-dompdf-2.0.3+dfsg/debian/changelog --- php-dompdf-2.0.3+dfsg/debian/changelog 2023-02-08 18:11:16.000000000 +0530 +++ php-dompdf-2.0.3+dfsg/debian/changelog 2026-01-02 15:26:29.000000000 +0530 @@ -1,3 +1,10 @@ +php-dompdf (2.0.3+dfsg-1+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-50262: Improve SVG file reference recursion + validation + + -- Abhijith PA <[email protected]> Fri, 02 Jan 2026 15:26:29 +0530 + php-dompdf (2.0.3+dfsg-1) unstable; urgency=medium * New upstream version 2.0.3 (CVE-2023-24813) diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch --- php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 1970-01-01 05:30:00.000000000 +0530 +++ php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 2026-01-02 15:24:34.000000000 +0530 @@ -0,0 +1,94 @@ +From 41cbac16f3cf56affa49f06e8dae66d0eac2b593 Mon Sep 17 00:00:00 2001 +From: Brian Sweeney <[email protected]> +Date: Mon, 4 Dec 2023 09:19:28 -0500 +Subject: [PATCH] Improve SVG file reference recursion validation + +--- + src/Image/Cache.php | 48 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 39 insertions(+), 9 deletions(-) + +diff --git a/src/Image/Cache.php b/src/Image/Cache.php +index 8e36aa2b7..b3e1d0e9e 100644 +--- a/src/Image/Cache.php ++++ b/src/Image/Cache.php +@@ -31,6 +31,14 @@ class Cache + */ + protected static $tempImages = []; + ++ /** ++ * Array of image references from an SVG document. ++ * Used to detect circular references across SVG documents. ++ * ++ * @var array ++ */ ++ protected static $svgRefs = []; ++ + /** + * The url to the "broken image" used when images can't be loaded + * +@@ -134,20 +142,28 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options + $parser, + function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { + if (strtolower($name) === "image") { ++ if (!\array_key_exists($full_url, self::$svgRefs)) { ++ self::$svgRefs[$full_url] = []; ++ } + $attributes = array_change_key_case($attributes, CASE_LOWER); + $urls = []; + $urls[] = $attributes["xlink:href"] ?? ""; + $urls[] = $attributes["href"] ?? ""; + foreach ($urls as $url) { +- if (!empty($url)) { +- $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); +- if ($inner_full_url === $full_url) { +- throw new ImageException("SVG self-reference is not allowed", E_WARNING); +- } +- [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); +- if (!empty($message)) { +- throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); +- } ++ if (empty($url)) { ++ continue; ++ } ++ ++ $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); ++ if (empty($inner_full_url)) { ++ continue; ++ } ++ ++ self::detectCircularRef($full_url, $inner_full_url); ++ self::$svgRefs[$full_url][] = $inner_full_url; ++ [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); ++ if (!empty($message)) { ++ throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); + } + } + } +@@ -178,6 +194,19 @@ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { + return [$resolved_url, $type, $message]; + } + ++ static function detectCircularRef(string $src, string $target) ++ { ++ if (!\array_key_exists($target, self::$svgRefs)) { ++ return; ++ } ++ foreach (self::$svgRefs[$target] as $ref) { ++ if ($ref === $src) { ++ throw new ImageException("Circular external SVG image reference detected.", E_WARNING); ++ } ++ self::detectCircularRef($src, $ref); ++ } ++ } ++ + /** + * Register a temp file for the given original image file. + * +@@ -239,6 +268,7 @@ static function clear(bool $debugPng = false) + + self::$_cache = []; + self::$tempImages = []; ++ self::$svgRefs = []; + } + + static function detect_type($file, $context = null) diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/series php-dompdf-2.0.3+dfsg/debian/patches/series --- php-dompdf-2.0.3+dfsg/debian/patches/series 2023-02-04 18:18:32.000000000 +0530 +++ php-dompdf-2.0.3+dfsg/debian/patches/series 2026-01-02 15:24:34.000000000 +0530 @@ -1,3 +1,4 @@ 0001-Exclude-adobe-font-check.patch 0002-Change-dir-variables-to-debian-dirs.patch 0003-Change-font-dir-for-local-build-tests.patch +CVE-2023-50262.patch
