Fedora has issued an advisory on May 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/ The fix is: https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679 Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2024-22640Source RPM: (none) => php-tcpdf-6.5.0-1.mga9.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color. (CVE-2024-22640) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/ ======================== Updated packages in core/updates_testing: ======================== php-tcpdf-6.5.0-1.1.mga9 php-tcpdf-dejavu-6.5.0-1.1.mga9 php-tcpdf-dejavu-lgc-6.5.0-1.1.mga9 php-tcpdf-gnu-free-mono-fonts-6.5.0-1.1.mga9 php-tcpdf-gnu-free-sans-fonts-6.5.0-1.1.mga9 php-tcpdf-gnu-free-serif-fonts-6.5.0-1.1.mga9 from SRPM: php-tcpdf-6.5.0-1.1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Assignee: bugsquad => qa-bugsVersion: Cauldron => 9Status: NEW => ASSIGNED
Keywords: (none) => advisory
RH mageia 8 x86_64 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") fonts-ttf-dejavu-lgc 2.37 4.mga9 noarch gnu-free-fonts-common 20120503 11.mga9 noarch gnu-free-mono-fonts 20120503 11.mga9 noarch gnu-free-sans-fonts 20120503 11.mga9 noarch gnu-free-serif-fonts 20120503 11.mga9 noarch php-fedora-autoloader 1.0.1 2.mga9 noarch (medium "Core Updates (distrib3)") php-bcmath 8.2.18 1.mga9 x86_64 php-ctype 8.2.18 1.mga9 x86_64 php-curl 8.2.18 1.mga9 x86_64 php-gd 8.2.18 1.mga9 x86_64 php-mbstring 8.2.18 1.mga9 x86_64 php-posix 8.2.18 1.mga9 x86_64 (command line) php-tcpdf 6.5.0 1.1.mga9 noarch php-tcpdf-dejavu 6.5.0 1.1.mga9 noarch php-tcpdf-dejavu-lgc 6.5.0 1.1.mga9 noarch php-tcpdf-gnu-free-mono-fonts 6.5.0 1.1.mga9 noarch php-tcpdf-gnu-free-sans-fonts 6.5.0 1.1.mga9 noarch php-tcpdf-gnu-free-serif-fonts 6.5.0 1.1.mga9 noarch 33MB of additional disk space will be used. 8.2MB of packages will be retrieved. Proceed with the installation of the 18 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-posix-8.2.18-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-gd-8.2.18-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-bcmath-8.2.18-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-mbstring-8.2.18-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-curl-8.2.18-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-ctype-8.2.18-1.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/php-curl-8.2.18-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-sans-fonts-6.5.0-1.1.mga9.noarch.rpm /var/cache/urpmi/rpms/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm /var/cache/urpmi/rpms/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-6.5.0-1.1.mga9.noarch.rpm /var/cache/urpmi/rpms/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm /var/cache/urpmi/rpms/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm /var/cache/urpmi/rpms/php-bcmath-8.2.18-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm /var/cache/urpmi/rpms/php-ctype-8.2.18-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-serif-fonts-6.5.0-1.1.mga9.noarch.rpm /var/cache/urpmi/rpms/php-posix-8.2.18-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/php-gd-8.2.18-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-lgc-6.5.0-1.1.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-6.5.0-1.1.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-mono-fonts-6.5.0-1.1.mga9.noarch.rpm /var/cache/urpmi/rpms/php-mbstring-8.2.18-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/18: gnu-free-fonts-common ################################################################################################## 2/18: gnu-free-serif-fonts ################################################################################################## 3/18: gnu-free-sans-fonts ################################################################################################## 4/18: gnu-free-mono-fonts ################################################################################################## 5/18: php-mbstring ################################################################################################## 6/18: php-gd ################################################################################################## 7/18: php-posix ################################################################################################## 8/18: php-ctype ################################################################################################## 9/18: php-fedora-autoloader ################################################################################################## 10/18: php-bcmath ################################################################################################## 11/18: fonts-ttf-dejavu-lgc ################################################################################################## 12/18: php-curl ################################################################################################## 13/18: php-tcpdf ################################################################################################## 14/18: php-tcpdf-gnu-free-sans-fonts ################################################################################################## 15/18: php-tcpdf-gnu-free-serif-fonts ################################################################################################## 16/18: php-tcpdf-dejavu-lgc ################################################################################################## 17/18: php-tcpdf-dejavu ################################################################################################## 18/18: php-tcpdf-gnu-free-mono-fonts ################################################################################################## Testing basic function Reference bug#23699 comment#10 with some modifications php /usr/share/doc/php-tcpdf/examples/example_001.php > test.pdf Open pdf, see this text (with some images, a link and with format) TCPDF Example 001 by Nicola Asuni - Tecnick.com www.tcpdf.org Welcome to TCPDF ! This is the first example of TCPDF library. This text is printed using the writeHTMLCell() method but you can al use: Multicell(), writeHTML(), Write(), Cell() and Text(). Please check the source code documentation and other examples fo further information. TO IMPROVE AND EXPAND TCPDF I NEED YOUR SUPPORT, PLEASE MAKE A DONATION! php /usr/share/doc/php-tcpdf/examples/example_002.php > test-002.pdf Open PDF see this text with format TCPDF Example 002 Default page header and footer are disabled using setPrintHeader() and setPrintFooter() methods. Not sure if is safe, test the POC I find
CC: (none) => andrewsfarm
Also not uninstall issues I hope is good enough
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0169.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED