Bug 33173

Summary:	php-tcpdf new security issue CVE-2024-22640
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	php-tcpdf-6.5.0-1.mga9.src.rpm	CVE:	CVE-2024-22640
Status comment:

Description Nicolas Salguero 2024-05-02 16:44:39 CEST

Fedora has issued an advisory on May 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/

The fix is: https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679

Mageia 9 is also affected.

Nicolas Salguero 2024-05-02 16:45:04 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-22640
Source RPM: (none) => php-tcpdf-6.5.0-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2024-05-02 16:56:41 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color. (CVE-2024-22640)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/
========================

Updated packages in core/updates_testing:
========================
php-tcpdf-6.5.0-1.1.mga9
php-tcpdf-dejavu-6.5.0-1.1.mga9
php-tcpdf-dejavu-lgc-6.5.0-1.1.mga9
php-tcpdf-gnu-free-mono-fonts-6.5.0-1.1.mga9
php-tcpdf-gnu-free-sans-fonts-6.5.0-1.1.mga9
php-tcpdf-gnu-free-serif-fonts-6.5.0-1.1.mga9

from SRPM:
php-tcpdf-6.5.0-1.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED

katnatek 2024-05-02 19:25:28 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-05-04 04:33:54 CEST

RH mageia 8 x86_64

 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  fonts-ttf-dejavu-lgc           2.37         4.mga9        noarch  
  gnu-free-fonts-common          20120503     11.mga9       noarch  
  gnu-free-mono-fonts            20120503     11.mga9       noarch  
  gnu-free-sans-fonts            20120503     11.mga9       noarch  
  gnu-free-serif-fonts           20120503     11.mga9       noarch  
  php-fedora-autoloader          1.0.1        2.mga9        noarch  
(medium "Core Updates (distrib3)")
  php-bcmath                     8.2.18       1.mga9        x86_64  
  php-ctype                      8.2.18       1.mga9        x86_64  
  php-curl                       8.2.18       1.mga9        x86_64  
  php-gd                         8.2.18       1.mga9        x86_64  
  php-mbstring                   8.2.18       1.mga9        x86_64  
  php-posix                      8.2.18       1.mga9        x86_64  
(command line)
  php-tcpdf                      6.5.0        1.1.mga9      noarch  
  php-tcpdf-dejavu               6.5.0        1.1.mga9      noarch  
  php-tcpdf-dejavu-lgc           6.5.0        1.1.mga9      noarch  
  php-tcpdf-gnu-free-mono-fonts  6.5.0        1.1.mga9      noarch  
  php-tcpdf-gnu-free-sans-fonts  6.5.0        1.1.mga9      noarch  
  php-tcpdf-gnu-free-serif-fonts 6.5.0        1.1.mga9      noarch  
33MB of additional disk space will be used.
8.2MB of packages will be retrieved.
Proceed with the installation of the 18 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-posix-8.2.18-1.mga9.x86_64.rpm             
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-gd-8.2.18-1.mga9.x86_64.rpm                
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-bcmath-8.2.18-1.mga9.x86_64.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-mbstring-8.2.18-1.mga9.x86_64.rpm          
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-curl-8.2.18-1.mga9.x86_64.rpm              
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-ctype-8.2.18-1.mga9.x86_64.rpm             
installing /var/cache/urpmi/rpms/php-curl-8.2.18-1.mga9.x86_64.rpm                                                                  
/home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-sans-fonts-6.5.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-6.5.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-bcmath-8.2.18-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-ctype-8.2.18-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-serif-fonts-6.5.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-posix-8.2.18-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/php-gd-8.2.18-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-lgc-6.5.0-1.1.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-6.5.0-1.1.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-mono-fonts-6.5.0-1.1.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-mbstring-8.2.18-1.mga9.x86_64.rpm
Preparing...                     ##################################################################################################
     1/18: gnu-free-fonts-common ##################################################################################################
     2/18: gnu-free-serif-fonts  ##################################################################################################
     3/18: gnu-free-sans-fonts   ##################################################################################################
     4/18: gnu-free-mono-fonts   ##################################################################################################
     5/18: php-mbstring          ##################################################################################################
     6/18: php-gd                ##################################################################################################
     7/18: php-posix             ##################################################################################################
     8/18: php-ctype             ##################################################################################################
     9/18: php-fedora-autoloader ##################################################################################################
    10/18: php-bcmath            ##################################################################################################
    11/18: fonts-ttf-dejavu-lgc  ##################################################################################################
    12/18: php-curl              ##################################################################################################
    13/18: php-tcpdf             ##################################################################################################
    14/18: php-tcpdf-gnu-free-sans-fonts
                                 ##################################################################################################
    15/18: php-tcpdf-gnu-free-serif-fonts
                                 ##################################################################################################
    16/18: php-tcpdf-dejavu-lgc  ##################################################################################################
    17/18: php-tcpdf-dejavu      ##################################################################################################
    18/18: php-tcpdf-gnu-free-mono-fonts
                                 ##################################################################################################

Testing basic function Reference bug#23699 comment#10 with some modifications

php /usr/share/doc/php-tcpdf/examples/example_001.php > test.pdf

Open pdf, see this text (with some images, a link and with format)

TCPDF Example 001 by Nicola Asuni - Tecnick.com www.tcpdf.org Welcome to TCPDF ! This is the first example of TCPDF library. This text is printed using the writeHTMLCell() method but you can al use: Multicell(), writeHTML(), Write(), Cell() and Text(). Please check the source code documentation and other examples fo further information. TO IMPROVE AND EXPAND TCPDF I NEED YOUR SUPPORT, PLEASE MAKE A DONATION!

php /usr/share/doc/php-tcpdf/examples/example_002.php > test-002.pdf

Open PDF see this text with format

TCPDF Example 002 Default page header and footer are disabled using setPrintHeader() and setPrintFooter() methods.

Not sure if is safe, test the POC I find

katnatek 2024-05-04 04:36:58 CEST

CC: (none) => andrewsfarm

Comment 3 katnatek 2024-05-04 04:38:36 CEST

Also not uninstall issues
I hope is good enough

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-05-04 13:23:07 CEST

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-05-09 04:42:03 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0169.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED