A CVE has assigned for a security issue fixed upstream in tcpdf over 2 years ago: http://openwall.com/lists/oss-security/2017/02/19/1 The fix was included in version 6.2.0.
Fixed package submitted in updates_testing. Suggested advisory: ======================== A local file inclusion vulnerability in TCPDF allows to upload files from the server generating PDF files to an external FTP server (CVE-1234-5678). The updated php-tcpdf-6.0.098-1.1.mga5 package fixes this issue by setting K_TCPDF_CALLS_IN_HTML configuration parameter to false by default.
Assignee: guillomovitch => qa-bugs
MGA5-32 on Asus A6000VM Xfce No installation isssues Looking for some test: # urpmq --whatrequires php-tcpdf galette galette php-tcpdf Looked galette: "Galette is an online tool to manage membership and fees dedicated to non profit organizations." Phew!
CC: (none) => herman.viaene
# uname -a Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux I've created a PDF with the tool. # urpmi php-tcpdf Package php-tcpdf-6.0.098-1.1.mga5.noarch is already installed Marking php-tcpdf as manually installed, it won't be auto-orphaned writing /var/lib/rpm/installed-through-deps.list I went into the example folder: $ cd /usr/share/doc/php-tcpdf/examples $ php example_001.php > ~/vmshare/php_ex1.pdf The pdf file opens correctly. This version works at least minimally. I consider that a good test. Any thoughts?
CC: (none) => brtians1Whiteboard: (none) => mga5-64-ok
Advisory uploaded to svn, specifying CVE-2017-6100 rather then CVE-1234-5678. :-)
CC: (none) => davidwhodginsWhiteboard: mga5-64-ok => mga5-64-ok advisory
[brian@localhost ~]$ su Password: [root@localhost brian]# urpmi php-tcpdf To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") php-suhosin 0.9.37.1 1.mga5 i586 (recommended) webserver-base 2.0 8.mga5 i586 (medium "Core Updates (distrib3)") libphp5_common5 5.6.30 1.mga5 i586 php-cli 5.6.30 1.mga5 i586 php-ctype 5.6.30 1.mga5 i586 php-dom 5.6.30 1.mga5 i586 php-filter 5.6.30 1.mga5 i586 php-ftp 5.6.30 1.mga5 i586 php-gettext 5.6.30 1.mga5 i586 php-hash 5.6.30 1.mga5 i586 php-ini 5.6.30 1.mga5 i586 php-json 5.6.30 1.mga5 i586 php-openssl 5.6.30 1.mga5 i586 php-posix 5.6.30 1.mga5 i586 php-session 5.6.30 1.mga5 i586 php-sysvsem 5.6.30 1.mga5 i586 php-sysvshm 5.6.30 1.mga5 i586 php-timezonedb 2016.6 1.mga5 i586 php-tokenizer 5.6.30 1.mga5 i586 php-xml 5.6.30 1.mga5 i586 php-xmlreader 5.6.30 1.mga5 i586 php-xmlwriter 5.6.30 1.mga5 i586 php-zlib 5.6.30 1.mga5 i586 (medium "Core Updates Testing (distrib5)") php-tcpdf 6.0.098 1.1.mga5 noarch 36MB of additional disk space will be used. 15MB of packages will be retrieved. Proceed with the installation of the 24 packages? (Y/n) y $MIRRORLIST: media/core/release/webserver-base-2.0-8.mga5.i586.rpm $MIRRORLIST: media/core/release/php-suhosin-0.9.37.1-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-posix-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-xmlwriter-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-timezonedb-2016.6-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-filter-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-xml-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/libphp5_common5-5.6.30-1.mga5.i586.rpm installing libphp5_common5-5.6.30-1.mga5.i586.rpm php-suhosin-0.9.37.1-1.mga5.i586.rpm php-xml-5.6.30-1.mga5.i586.rpm php-filter-5.6.30-1.mga5.i586.rpm webserver-base-2.0-8.mga5.i586.rpm php-xmlwriter-5.6.30-1.mga5.i586.rpm php-timezonedb-2016.6-1.mga5.i586.rpm php-posix-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/24: libphp5_common5 ############################################# 2/24: webserver-base ############################################# 3/24: php-xml ############################################# 4/24: php-filter ############################################# 5/24: php-xmlwriter ############################################# 6/24: php-posix ############################################# 7/24: php-timezonedb ############################################# 8/24: php-suhosin ############################################# $MIRRORLIST: media/core/updates/php-sysvsem-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-openssl-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-ftp-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-ini-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-zlib-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-session-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-gettext-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-json-5.6.30-1.mga5.i586.rpm installing php-session-5.6.30-1.mga5.i586.rpm php-zlib-5.6.30-1.mga5.i586.rpm php-gettext-5.6.30-1.mga5.i586.rpm php-json-5.6.30-1.mga5.i586.rpm php-openssl-5.6.30-1.mga5.i586.rpm php-sysvsem-5.6.30-1.mga5.i586.rpm php-ftp-5.6.30-1.mga5.i586.rpm php-ini-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 9/24: php-ini ############################################# 10/24: php-ftp ############################################# 11/24: php-sysvsem ############################################# 12/24: php-openssl ############################################# 13/24: php-json ############################################# 14/24: php-gettext ############################################# 15/24: php-zlib ############################################# 16/24: php-session ############################################# $MIRRORLIST: media/core/updates/php-cli-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-sysvshm-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-xmlreader-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-tokenizer-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-hash-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-ctype-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates/php-dom-5.6.30-1.mga5.i586.rpm $MIRRORLIST: media/core/updates_testing/php-tcpdf-6.0.098-1.1.mga5.noarch.rpm installing php-tcpdf-6.0.098-1.1.mga5.noarch.rpm php-dom-5.6.30-1.mga5.i586.rpm php-tokenizer-5.6.30-1.mga5.i586.rpm php-ctype-5.6.30-1.mga5.i586.rpm php-hash-5.6.30-1.mga5.i586.rpm php-xmlreader-5.6.30-1.mga5.i586.rpm php-cli-5.6.30-1.mga5.i586.rpm php-sysvshm-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 17/24: php-sysvshm ############################################# 18/24: php-hash ############################################# 19/24: php-ctype ############################################# 20/24: php-tokenizer ############################################# 21/24: php-dom ############################################# 22/24: php-xmlreader ############################################# 23/24: php-cli ############################################# 24/24: php-tcpdf ############################################# [root@localhost brian]# ^C [root@localhost brian]# I ran example_001.php and example_002.php out to files. Both PDF's could be opened with Document Viewer.
Whiteboard: mga5-64-ok advisory => mga5-64-ok mga5-32-ok advisory
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0067.html
Status: NEW => RESOLVEDResolution: (none) => FIXED