Bug#814030: Security flaw fixed in version 6.2.0
Control: retitle -1 tcpdf: CVE-2017-6100: LFI posting internal files externally abusing default parameter Hi, On Mon, Jan 09, 2017 at 09:39:30PM +0100, Raphael Hertzog wrote: > On Thu, 05 Jan 2017, Raphael Hertzog wrote: > > CCing upstream author for confirmation. Nicola we are trying to understand > > what security fix went into tcpdf 6.2.0. The bug is private on > > sourceforge, could you make it public now? > > The upstream bug is now public: > https://sourceforge.net/p/tcpdf/bugs/1005/ FTR, this has been assigned CVE-2017-6100 (yes the 2017 CVE id is a bit strange given the bug is older). Moritz asked later on if one of the maintainers can prepare an update for jessie, what is the status? Is any work in progress yet? Regards, Salvatore
Bug#814030: Security flaw fixed in version 6.2.0
On Mon, Jan 09, 2017 at 09:39:30PM +0100, Raphael Hertzog wrote: > Hi everybody, > > On Thu, 05 Jan 2017, Raphael Hertzog wrote: > > CCing upstream author for confirmation. Nicola we are trying to understand > > what security fix went into tcpdf 6.2.0. The bug is private on > > sourceforge, could you make it public now? > > The upstream bug is now public: > https://sourceforge.net/p/tcpdf/bugs/1005/ Since K_TCPDF_CALLS_IN_HTML defaults to jessie, we should fix this in jessie. Could someone of the maintainers prepare an update? Cheers, Moritz
Bug#814030: Security flaw fixed in version 6.2.0
Hi everybody, On Thu, 05 Jan 2017, Raphael Hertzog wrote: > CCing upstream author for confirmation. Nicola we are trying to understand > what security fix went into tcpdf 6.2.0. The bug is private on > sourceforge, could you make it public now? The upstream bug is now public: https://sourceforge.net/p/tcpdf/bugs/1005/ Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Bug#814030: Security flaw fixed in version 6.2.0
Hi, CCing upstream author for confirmation. Nicola we are trying to understand what security fix went into tcpdf 6.2.0. The bug is private on sourceforge, could you make it public now? For more details see: https://bugs.debian.org/814030 On Wed, 04 Jan 2017, David Prévot wrote: > >> Can you contact upstream for information on this security bug? I have > >> no idea what that could possibly mean. > > > > Did you got any information on that from upstream? The bug is stil > > closed, so does not really help. I did not contact upstream but looking at the changes in that version: https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/tcpdf.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_fonts.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_static.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 I see calls to fopen() being replaced by TCPDF_STATIC::fopenLocal() which does ensure that we pass only "file://" URL or which add this prefix if there's no "://" in the string. So I guess that this issue is related to this. All the fopen() calls are for files to which we write so I guess that we can possibly inject "ftp://"; URL in some parameters and get some local files sent to a remote location. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Bug#814030: Security flaw fixed in version 6.2.0
Hi, I just add maintainer and uploader to the loop. Hopefully, they should know something about the package/code/issue. Le 04/01/2017 à 21:42, Salvatore Bonaccorso a écrit : > On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote: >> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: >>> Package: php-tcpdf >>> Version: 6.0.093+dfsg-1 >>> Severity: serious >>> Tags: security upstream >>> >>> According to their changelog [1], upstream fixed a security issue over a >>> year ago: >>> >>> 6.2.0 (2014-12-10) >>> - Bug #1005 "Security Report, LFI posting internal files externally >>> abusing default parameter" was fixed. >>> >>> 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT >>> >>> The upstream bug report [2] is not public, so I don’t have much >>> information about the issue, the fix, nor it’s actual severity. >>> >>> 2: https://sourceforge.net/p/tcpdf/bugs/1005/ >> >> Can you contact upstream for information on this security bug? I have >> no idea what that could possibly mean. > > Did you got any information on that from upstream? The bug is stil > closed, so does not really help. > > Regards, > Salvatore signature.asc Description: OpenPGP digital signature
Bug#814030: Security flaw fixed in version 6.2.0
Hi David, On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote: > On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > > Package: php-tcpdf > > Version: 6.0.093+dfsg-1 > > Severity: serious > > Tags: security upstream > > > > According to their changelog [1], upstream fixed a security issue over a > > year ago: > > > > 6.2.0 (2014-12-10) > > - Bug #1005 "Security Report, LFI posting internal files externally > > abusing default parameter" was fixed. > > > > 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT > > > > The upstream bug report [2] is not public, so I don’t have much > > information about the issue, the fix, nor it’s actual severity. > > > > 2: https://sourceforge.net/p/tcpdf/bugs/1005/ > > Can you contact upstream for information on this security bug? I have > no idea what that could possibly mean. Did you got any information on that from upstream? The bug is stil closed, so does not really help. Regards, Salvatore
Bug#814030: Security flaw fixed in version 6.2.0
On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > Package: php-tcpdf > Version: 6.0.093+dfsg-1 > Severity: serious > Tags: security upstream > > According to their changelog [1], upstream fixed a security issue over a > year ago: > > 6.2.0 (2014-12-10) > - Bug #1005 "Security Report, LFI posting internal files externally > abusing default parameter" was fixed. > > 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT > > The upstream bug report [2] is not public, so I don’t have much > information about the issue, the fix, nor it’s actual severity. > > 2: https://sourceforge.net/p/tcpdf/bugs/1005/ Can you contact upstream for information on this security bug? I have no idea what that could possibly mean. Cheers, Moritz
Bug#814030: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)
Hi David. I have sent to my mentor (Raphael Hertzog), a commit with the new upstream 6.2.12 updated, of TCPDF. If you plan/want to move package maintenance into Debian PHP PEAR umbrella, why not. What will be the benefit and impact ? 2016-02-23 4:33 GMT+01:00 David Prévot : > Hi, > > On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > > Package: php-tcpdf > > Version: 6.0.093+dfsg-1 > > Severity: serious > > Tags: security upstream > > > > According to their changelog [1], upstream fixed a security issue over a > > year ago: […] > > In order to bring php-tcpdf back in line with upstream, and to follow > more closely the PHP class packaging, I’d like to take the > opportunity of team maintaining it under the Debian PHP PEAR (and > Composer) Maintainers umbrella. > > Unless someone objects, I intend to move forward as soon as I have some > time to spare on it. > > Regards > > David > -- EMail: e...@destailleur.fr Web: http://www.destailleur.fr Google+: https://plus.google.com/+LaurentDestailleur/ Facebook: https://www.facebook.com/Destailleur.Laurent Twitter: http://www.twitter.com/eldy10 * Dolibarr (Project leader): http://www.dolibarr.org (make a donation for Dolibarr project via Paypal: cont...@destailleur.fr) * AWStats (Author) : http://awstats.sourceforge.net (make a donation for AWStats project via Paypal: cont...@destailleur.fr) * AWBot (Author) : http://awbot.sourceforge.net * CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#814030: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)
Hi, On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > Package: php-tcpdf > Version: 6.0.093+dfsg-1 > Severity: serious > Tags: security upstream > > According to their changelog [1], upstream fixed a security issue over a > year ago: […] In order to bring php-tcpdf back in line with upstream, and to follow more closely the PHP class packaging, I’d like to take the opportunity of team maintaining it under the Debian PHP PEAR (and Composer) Maintainers umbrella. Unless someone objects, I intend to move forward as soon as I have some time to spare on it. Regards David signature.asc Description: PGP signature
Bug#814030: Security flaw fixed in version 6.2.0
Package: php-tcpdf Version: 6.0.093+dfsg-1 Severity: serious Tags: security upstream According to their changelog [1], upstream fixed a security issue over a year ago: 6.2.0 (2014-12-10) - Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed. 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT The upstream bug report [2] is not public, so I don’t have much information about the issue, the fix, nor it’s actual severity. 2: https://sourceforge.net/p/tcpdf/bugs/1005/ Regards David signature.asc Description: PGP signature