Fedora has issued an advisory on October 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LTRUQ2HLUCL2D7KVNDJ6HWK7MCVT3KLR/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Fixed in cauldron.
in php-tcpdf-6.2.26-1.mga7.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
I tried backporting the patches to the version shipped in mageia 6 (6.2.13) without success. There is no CVE number, and only available description of fixed deserialization issue is really vague. There is still the possibility of shipping current version (6.2.26) instead, as did Fedora, but with so few information available, I don't think that's worth breaking our update policy. So, that's a WONTFIX for me in current state.
If 6.2.x is like a stable branch, it wouldn't violate the policy to update it. We've been having to update more things lately, as I don't have time to do most of the packaging work anymore, and most of our other packagers either lack the time or ability to backport patches. We don't have basically a full time security person anymore so we have to be slightly less conservative.
according to the changelog, the major version is 6, so any updates in 6.x can be done. At least updating to 6.2.19: "Merge various fixes for PHP 7.3 compatibility and security." should be done. But I don't see, why we should not push the latest version.
CC: (none) => mageia
Our current update policy, so far, has been to push minimal updates, with just specific patches applied, in order to fix identified security issues. What you propose here is to make an assumption about version number, speculating about its impact, in order to fix unidentified issues. My own estimation is that such an update is unlikely to hurt anything, but also unlikey to provide actual benefit for anyone either. Which is just a waste of time for packagers. Feel free to do it if you want, I just won't do it myself.
no, I'm just reading the official changelog. If they state the only changes since our version are bug fixes and security issues, we have to trust them.
Suggested advisory: ======================== Updated php-tcpdf packages fix security vulnerabilities: - Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data. - Merge various fixes for PHP 7.3 compatibility and security. References: https://github.com/tecnickcom/TCPDF/blob/master/CHANGELOG.TXT Updated packages in core/updates_testing: ======================== php-tcpdf-6.2.26-1.mga6.noarch.rpm SRPM: php-tcpdf-6.2.26-1.mga6.src.rpm
Assignee: guillomovitch => qa-bugs
Looking at this for mga6, x86_64 The link in comment 8 enables the user to track back to: https://github.com/tecnickcom/TCPDF Tried downloading a number of files in order to tests some of the examples but could only get so far with php at the cli. It is probably necessary to execute a pull request for the whole tutorial in order to run the examples. I signed up to github long ago but cannot remember my username or password so shall drop this for the time being. The password might be recorded somewhere. Too late to pursue this tonight.
CC: (none) => tarazed25
OK. Made a pull request on the Master branch at the address noted in comment 9. Downloaded the examples in zip format and created a test directory. Ran the first example to generate a PDF file which displayed fine with xpdf. $ php example_001.php > test_1.pdf Updated the package and ran another of the examples. $ php example_009.php > test_9.pdf $ okular test_9.pdf Showed a page of images and thumbnails of a TCPDF logo. The tools directory contains tcpdf_addfont with some example commands. The tcpdf_addfont is available as a system command in /bin. Tried one of the examples: $ tcpdf_addfont -b -t Type1 -f 97 -e cp1252 -o ~/fontpack -i pdfacourieri.pfb,pdfacourierbi.pfb >>> Converting fonts for TCPDF: *** Output dir set to /home/lcl/fontpack/ --- ERROR: can't add pdfacourieri.pfb --- ERROR: can't add pdfacourierbi.pfb --- Process completed with ERRORS! This may be due to ignorance on the part of the user. That aside, this package looks good for 64-bits.
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Adding my pound of ignorance on this subject $ tcpdf_addfont --help tcpdf_addfont - command line tool to convert fonts for the TCPDF library. Usage: tcpdf_addfont.php [ options ] -i fontfile[,fontfile]... etc ...... then # tcpdf_addfont -i /usr/share/fonts/Type1/c0419bt_.pfb >>> Converting fonts for TCPDF: *** Output dir set to /usr/share/php/tcpdf/fonts/ +++ OK : /usr/share/fonts/Type1/c0419bt_.pfb added as c0419bt_ >>> Process successfully completed! Indeed, file c0419bt_.php was added to /usr/share/php/tcpdf/fonts/. Checked by comparing date on this file (jan 29 2019) while the other fonts in this folder are dated oct 16 2018. Seems OK to me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Re comment 11: Thanks Herman; I was going in the wrong direction. $ cd fontpack $ sudo tcpdf_addfont -i andalemo.pfb >>> Converting fonts for TCPDF: *** Output dir set to /usr/share/php/tcpdf/fonts/ PHP Notice: Undefined offset: 0 in /usr/share/php/tcpdf/include/tcpdf_fonts.php on line 339 +++ OK : /home/lcl/fontpack/andalemo.pfb added as andalemo >>> Process successfully completed! Adding the 64-bit OK
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Speedy work again!
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0053.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED