Bug 20322 - php-tcpdf new security issue CVE-2017-6100
Summary: php-tcpdf new security issue CVE-2017-6100
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga5-64-ok mga5-32-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-02-20 00:12 CET by David Walser
Modified: 2017-02-26 23:02 CET (History)
5 users (show)

See Also:
Source RPM: php-tcpdf-6.0.098-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-02-20 00:12:34 CET
A CVE has assigned for a security issue fixed upstream in tcpdf over 2 years ago:
http://openwall.com/lists/oss-security/2017/02/19/1

The fix was included in version 6.2.0.
Comment 1 Guillaume Rousse 2017-02-20 19:55:51 CET
Fixed package submitted in updates_testing.

Suggested advisory:
========================

A local file inclusion vulnerability in TCPDF allows to upload files from the server generating PDF files to an external FTP server (CVE-1234-5678).

The updated php-tcpdf-6.0.098-1.1.mga5 package fixes this issue by setting K_TCPDF_CALLS_IN_HTML configuration parameter to false by default.

Assignee: guillomovitch => qa-bugs

Comment 2 Herman Viaene 2017-02-21 15:22:21 CET
MGA5-32 on Asus A6000VM Xfce
No installation isssues
Looking for some test:
# urpmq --whatrequires php-tcpdf
galette
galette
php-tcpdf
Looked galette: "Galette is an online tool to manage membership and fees dedicated to non profit organizations." Phew!

CC: (none) => herman.viaene

Comment 3 Brian Rockwell 2017-02-21 22:29:55 CET
# uname -a
Linux localhost 4.4.39-server-1.mga5 #1 SMP Fri Dec 16 19:07:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I've created a PDF with the tool.



# urpmi php-tcpdf
Package php-tcpdf-6.0.098-1.1.mga5.noarch is already installed
Marking php-tcpdf as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list

I went into the example folder:
$ cd /usr/share/doc/php-tcpdf/examples
$ php example_001.php > ~/vmshare/php_ex1.pdf


The pdf file opens correctly.

This version works at least minimally.  I consider that a good test.  Any thoughts?

CC: (none) => brtians1
Whiteboard: (none) => mga5-64-ok

Comment 4 Dave Hodgins 2017-02-22 03:13:04 CET
Advisory uploaded to svn, specifying CVE-2017-6100 rather then CVE-1234-5678. :-)

CC: (none) => davidwhodgins
Whiteboard: mga5-64-ok => mga5-64-ok advisory

Comment 5 Brian Rockwell 2017-02-26 20:35:02 CET
[brian@localhost ~]$ su
Password: 
[root@localhost brian]# urpmi php-tcpdf
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  php-suhosin                    0.9.37.1     1.mga5        i586    (recommended)
  webserver-base                 2.0          8.mga5        i586    
(medium "Core Updates (distrib3)")
  libphp5_common5                5.6.30       1.mga5        i586    
  php-cli                        5.6.30       1.mga5        i586    
  php-ctype                      5.6.30       1.mga5        i586    
  php-dom                        5.6.30       1.mga5        i586    
  php-filter                     5.6.30       1.mga5        i586    
  php-ftp                        5.6.30       1.mga5        i586    
  php-gettext                    5.6.30       1.mga5        i586    
  php-hash                       5.6.30       1.mga5        i586    
  php-ini                        5.6.30       1.mga5        i586    
  php-json                       5.6.30       1.mga5        i586    
  php-openssl                    5.6.30       1.mga5        i586    
  php-posix                      5.6.30       1.mga5        i586    
  php-session                    5.6.30       1.mga5        i586    
  php-sysvsem                    5.6.30       1.mga5        i586    
  php-sysvshm                    5.6.30       1.mga5        i586    
  php-timezonedb                 2016.6       1.mga5        i586    
  php-tokenizer                  5.6.30       1.mga5        i586    
  php-xml                        5.6.30       1.mga5        i586    
  php-xmlreader                  5.6.30       1.mga5        i586    
  php-xmlwriter                  5.6.30       1.mga5        i586    
  php-zlib                       5.6.30       1.mga5        i586    
(medium "Core Updates Testing (distrib5)")
  php-tcpdf                      6.0.098      1.1.mga5      noarch  
36MB of additional disk space will be used.
15MB of packages will be retrieved.
Proceed with the installation of the 24 packages? (Y/n) y


    $MIRRORLIST: media/core/release/webserver-base-2.0-8.mga5.i586.rpm
    $MIRRORLIST: media/core/release/php-suhosin-0.9.37.1-1.mga5.i586.rpm       
    $MIRRORLIST: media/core/updates/php-posix-5.6.30-1.mga5.i586.rpm           
    $MIRRORLIST: media/core/updates/php-xmlwriter-5.6.30-1.mga5.i586.rpm       
    $MIRRORLIST: media/core/updates/php-timezonedb-2016.6-1.mga5.i586.rpm      
    $MIRRORLIST: media/core/updates/php-filter-5.6.30-1.mga5.i586.rpm          
    $MIRRORLIST: media/core/updates/php-xml-5.6.30-1.mga5.i586.rpm             
    $MIRRORLIST: media/core/updates/libphp5_common5-5.6.30-1.mga5.i586.rpm     
installing libphp5_common5-5.6.30-1.mga5.i586.rpm php-suhosin-0.9.37.1-1.mga5.i586.rpm php-xml-5.6.30-1.mga5.i586.rpm php-filter-5.6.30-1.mga5.i586.rpm webserver-base-2.0-8.mga5.i586.rpm php-xmlwriter-5.6.30-1.mga5.i586.rpm php-timezonedb-2016.6-1.mga5.i586.rpm php-posix-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
     1/24: libphp5_common5       #############################################
     2/24: webserver-base        #############################################
     3/24: php-xml               #############################################
     4/24: php-filter            #############################################
     5/24: php-xmlwriter         #############################################
     6/24: php-posix             #############################################
     7/24: php-timezonedb        #############################################
     8/24: php-suhosin           #############################################


    $MIRRORLIST: media/core/updates/php-sysvsem-5.6.30-1.mga5.i586.rpm
    $MIRRORLIST: media/core/updates/php-openssl-5.6.30-1.mga5.i586.rpm         
    $MIRRORLIST: media/core/updates/php-ftp-5.6.30-1.mga5.i586.rpm             
    $MIRRORLIST: media/core/updates/php-ini-5.6.30-1.mga5.i586.rpm             
    $MIRRORLIST: media/core/updates/php-zlib-5.6.30-1.mga5.i586.rpm            
    $MIRRORLIST: media/core/updates/php-session-5.6.30-1.mga5.i586.rpm         
    $MIRRORLIST: media/core/updates/php-gettext-5.6.30-1.mga5.i586.rpm         
    $MIRRORLIST: media/core/updates/php-json-5.6.30-1.mga5.i586.rpm            
installing php-session-5.6.30-1.mga5.i586.rpm php-zlib-5.6.30-1.mga5.i586.rpm php-gettext-5.6.30-1.mga5.i586.rpm php-json-5.6.30-1.mga5.i586.rpm php-openssl-5.6.30-1.mga5.i586.rpm php-sysvsem-5.6.30-1.mga5.i586.rpm php-ftp-5.6.30-1.mga5.i586.rpm php-ini-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
     9/24: php-ini               #############################################
    10/24: php-ftp               #############################################
    11/24: php-sysvsem           #############################################
    12/24: php-openssl           #############################################
    13/24: php-json              #############################################
    14/24: php-gettext           #############################################
    15/24: php-zlib              #############################################
    16/24: php-session           #############################################


    $MIRRORLIST: media/core/updates/php-cli-5.6.30-1.mga5.i586.rpm
    $MIRRORLIST: media/core/updates/php-sysvshm-5.6.30-1.mga5.i586.rpm         
    $MIRRORLIST: media/core/updates/php-xmlreader-5.6.30-1.mga5.i586.rpm       
    $MIRRORLIST: media/core/updates/php-tokenizer-5.6.30-1.mga5.i586.rpm       
    $MIRRORLIST: media/core/updates/php-hash-5.6.30-1.mga5.i586.rpm            
    $MIRRORLIST: media/core/updates/php-ctype-5.6.30-1.mga5.i586.rpm           
    $MIRRORLIST: media/core/updates/php-dom-5.6.30-1.mga5.i586.rpm             
    $MIRRORLIST: media/core/updates_testing/php-tcpdf-6.0.098-1.1.mga5.noarch.rpm
installing php-tcpdf-6.0.098-1.1.mga5.noarch.rpm php-dom-5.6.30-1.mga5.i586.rpm php-tokenizer-5.6.30-1.mga5.i586.rpm php-ctype-5.6.30-1.mga5.i586.rpm php-hash-5.6.30-1.mga5.i586.rpm php-xmlreader-5.6.30-1.mga5.i586.rpm php-cli-5.6.30-1.mga5.i586.rpm php-sysvshm-5.6.30-1.mga5.i586.rpm from /var/cache/urpmi/rpms
Preparing...                     #############################################
    17/24: php-sysvshm           #############################################
    18/24: php-hash              #############################################
    19/24: php-ctype             #############################################
    20/24: php-tokenizer         #############################################
    21/24: php-dom               #############################################
    22/24: php-xmlreader         #############################################
    23/24: php-cli               #############################################
    24/24: php-tcpdf             #############################################
[root@localhost brian]# ^C
[root@localhost brian]# 


I ran example_001.php and example_002.php out to files.  Both PDF's could be opened with Document Viewer.

Whiteboard: mga5-64-ok advisory => mga5-64-ok mga5-32-ok advisory

Lewis Smith 2017-02-26 21:48:27 CET

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-02-26 23:02:57 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0067.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.