Source: php-dompdf-svg-lib Version: 0.5.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for php-dompdf-svg-lib. CVE-2024-25117[0]: | php-svg-lib is a scalable vector graphics (SVG) file | parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails | to validate that font-family doesn't contain a PHAR url, which might | leads to RCE on PHP < 8.0, and doesn't validate if external | references are allowed. This might leads to bypass of restrictions | or RCE on projects that are using it, if they do not strictly | revalidate the fontName that is passed by php-svg-lib. The | `Style::fromAttributes(`), or the `Style::parseCssStyle()` should | check the content of the `font-family` and prevents it to use a PHAR | url, to avoid passing an invalid and dangerous `fontName` value to | other libraries. The same check as done in the | `Style::fromStyleSheets` might be reused. Libraries using this | library as a dependency might be vulnerable to some bypass of | restrictions, or even remote code execution, if they do not double | check the value of the `fontName` that is passed by php-svg-lib. | Version 0.5.2 contains a fix for this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25117 https://www.cve.org/CVERecord?id=CVE-2024-25117 [1] https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273 [2] https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa [3] https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42 Please adjust the affected versions in the BTS as needed. Regards, Salvatore