Your message dated Sat, 16 May 2026 11:07:43 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1124537,
regarding bookworm-pu: package php-dompdf/2.0.3+dfsg-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124537
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:php-dompdf
[ Reason ]
This version fix CVE-2023-50262: SVG file reference recursion validation
issue. All other suites have this issue fixed.
[ Impact ]
They are susceptible to CVE-2023-50262
[ Tests ]
I ran autopkgtest available in this package and was successful.
[ Risks ]
Not much. The patch is backported from version 2.0.4 and fitted without
any fuzz. Plus the autopkgtest went fine.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x ] the issue is verified as fixed in unstable
--abhijith
diff -Nru php-dompdf-2.0.3+dfsg/debian/changelog
php-dompdf-2.0.3+dfsg/debian/changelog
--- php-dompdf-2.0.3+dfsg/debian/changelog 2023-02-08 18:11:16.000000000
+0530
+++ php-dompdf-2.0.3+dfsg/debian/changelog 2026-01-02 15:26:29.000000000
+0530
@@ -1,3 +1,10 @@
+php-dompdf (2.0.3+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-50262: Improve SVG file reference recursion
+ validation
+
+ -- Abhijith PA <[email protected]> Fri, 02 Jan 2026 15:26:29 +0530
+
php-dompdf (2.0.3+dfsg-1) unstable; urgency=medium
* New upstream version 2.0.3 (CVE-2023-24813)
diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch
php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch
--- php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 1970-01-01
05:30:00.000000000 +0530
+++ php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 2026-01-02
15:24:34.000000000 +0530
@@ -0,0 +1,94 @@
+From 41cbac16f3cf56affa49f06e8dae66d0eac2b593 Mon Sep 17 00:00:00 2001
+From: Brian Sweeney <[email protected]>
+Date: Mon, 4 Dec 2023 09:19:28 -0500
+Subject: [PATCH] Improve SVG file reference recursion validation
+
+---
+ src/Image/Cache.php | 48 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 39 insertions(+), 9 deletions(-)
+
+diff --git a/src/Image/Cache.php b/src/Image/Cache.php
+index 8e36aa2b7..b3e1d0e9e 100644
+--- a/src/Image/Cache.php
++++ b/src/Image/Cache.php
+@@ -31,6 +31,14 @@ class Cache
+ */
+ protected static $tempImages = [];
+
++ /**
++ * Array of image references from an SVG document.
++ * Used to detect circular references across SVG documents.
++ *
++ * @var array
++ */
++ protected static $svgRefs = [];
++
+ /**
+ * The url to the "broken image" used when images can't be loaded
+ *
+@@ -134,20 +142,28 @@ static function resolve_url($url, $protocol, $host,
$base_path, Options $options
+ $parser,
+ function ($parser, $name, $attributes) use ($options,
$parsed_url, $full_url) {
+ if (strtolower($name) === "image") {
++ if (!\array_key_exists($full_url,
self::$svgRefs)) {
++ self::$svgRefs[$full_url] = [];
++ }
+ $attributes = array_change_key_case($attributes,
CASE_LOWER);
+ $urls = [];
+ $urls[] = $attributes["xlink:href"] ?? "";
+ $urls[] = $attributes["href"] ?? "";
+ foreach ($urls as $url) {
+- if (!empty($url)) {
+- $inner_full_url =
Helpers::build_url($parsed_url["protocol"], $parsed_url["host"],
$parsed_url["path"], $url);
+- if ($inner_full_url === $full_url) {
+- throw new ImageException("SVG
self-reference is not allowed", E_WARNING);
+- }
+- [$resolved_url, $type, $message] =
self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"],
$parsed_url["path"], $options);
+- if (!empty($message)) {
+- throw new ImageException("This SVG
document references a restricted resource. $message", E_WARNING);
+- }
++ if (empty($url)) {
++ continue;
++ }
++
++ $inner_full_url =
Helpers::build_url($parsed_url["protocol"], $parsed_url["host"],
$parsed_url["path"], $url);
++ if (empty($inner_full_url)) {
++ continue;
++ }
++
++ self::detectCircularRef($full_url,
$inner_full_url);
++ self::$svgRefs[$full_url][] = $inner_full_url;
++ [$resolved_url, $type, $message] =
self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"],
$parsed_url["path"], $options);
++ if (!empty($message)) {
++ throw new ImageException("This SVG
document references a restricted resource. $message", E_WARNING);
+ }
+ }
+ }
+@@ -178,6 +194,19 @@ function ($parser, $name, $attributes) use ($options,
$parsed_url, $full_url) {
+ return [$resolved_url, $type, $message];
+ }
+
++ static function detectCircularRef(string $src, string $target)
++ {
++ if (!\array_key_exists($target, self::$svgRefs)) {
++ return;
++ }
++ foreach (self::$svgRefs[$target] as $ref) {
++ if ($ref === $src) {
++ throw new ImageException("Circular external SVG image
reference detected.", E_WARNING);
++ }
++ self::detectCircularRef($src, $ref);
++ }
++ }
++
+ /**
+ * Register a temp file for the given original image file.
+ *
+@@ -239,6 +268,7 @@ static function clear(bool $debugPng = false)
+
+ self::$_cache = [];
+ self::$tempImages = [];
++ self::$svgRefs = [];
+ }
+
+ static function detect_type($file, $context = null)
diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/series
php-dompdf-2.0.3+dfsg/debian/patches/series
--- php-dompdf-2.0.3+dfsg/debian/patches/series 2023-02-04 18:18:32.000000000
+0530
+++ php-dompdf-2.0.3+dfsg/debian/patches/series 2026-01-02 15:24:34.000000000
+0530
@@ -1,3 +1,4 @@
0001-Exclude-adobe-font-check.patch
0002-Change-dir-variables-to-debian-dirs.patch
0003-Change-font-dir-for-local-build-tests.patch
+CVE-2023-50262.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
