Fedora has issued an advisory on November 5: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGK7LQSJONZPU3VOQTQ36UN6OAD6ZM4H/ The fix is: https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5 Mageia 9 is also affected.
CVE: (none) => CVE-2024-22641Status comment: (none) => Fixed upstream in 6.7.7 and patch available from upstreamWhiteboard: (none) => MGA9TOOSource RPM: (none) => php-tcpdf-6.7.5-1.mga10.src.rpm, php-tcpdf-6.5.0-1.1.mga9.src.rpm
Thanks again for the patch ref. Assigning to PHP stack maintainers.
Assignee: bugsquad => php
Suggested advisory: ======================== The updated packages fix a security vulnerability: TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file. (CVE-2024-22641) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WGK7LQSJONZPU3VOQTQ36UN6OAD6ZM4H/ ======================== Updated packages in core/updates_testing: ======================== php-tcpdf-6.5.0-1.2.mga9 php-tcpdf-dejavu-6.5.0-1.2.mga9 php-tcpdf-dejavu-lgc-6.5.0-1.2.mga9 php-tcpdf-gnu-free-mono-fonts-6.5.0-1.2.mga9 php-tcpdf-gnu-free-sans-fonts-6.5.0-1.2.mga9 php-tcpdf-gnu-free-serif-fonts-6.5.0-1.2.mga9 from SRPM: php-tcpdf-6.5.0-1.2.mga9.src.rpm
Version: Cauldron => 9Status comment: Fixed upstream in 6.7.7 and patch available from upstream => (none)Assignee: php => qa-bugsSource RPM: php-tcpdf-6.7.5-1.mga10.src.rpm, php-tcpdf-6.5.0-1.1.mga9.src.rpm => php-tcpdf-6.5.0-1.1.mga9.src.rpmStatus: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") fonts-ttf-dejavu-lgc 2.37 4.mga9 noarch gnu-free-fonts-common 20120503 11.mga9 noarch gnu-free-mono-fonts 20120503 11.mga9 noarch gnu-free-sans-fonts 20120503 11.mga9 noarch gnu-free-serif-fonts 20120503 11.mga9 noarch php-fedora-autoloader 1.0.1 2.mga9 noarch (medium "Core Updates (distrib3)") php-bcmath 8.2.25 1.mga9 x86_64 php-ctype 8.2.25 1.mga9 x86_64 php-curl 8.2.25 1.mga9 x86_64 php-gd 8.2.25 1.mga9 x86_64 php-mbstring 8.2.25 1.mga9 x86_64 php-posix 8.2.25 1.mga9 x86_64 (command line) php-tcpdf 6.5.0 1.2.mga9 noarch php-tcpdf-dejavu 6.5.0 1.2.mga9 noarch php-tcpdf-dejavu-lgc 6.5.0 1.2.mga9 noarch php-tcpdf-gnu-free-mono-fonts 6.5.0 1.2.mga9 noarch php-tcpdf-gnu-free-sans-fonts 6.5.0 1.2.mga9 noarch php-tcpdf-gnu-free-serif-fonts 6.5.0 1.2.mga9 noarch 33MB of additional disk space will be used. 8.2MB of packages will be retrieved. Proceed with the installation of the 18 packages? (Y/n) y https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-gd-8.2.25-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-mbstring-8.2.25-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-curl-8.2.25-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-bcmath-8.2.25-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-ctype-8.2.25-1.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-posix-8.2.25-1.mga9.x86_64.rpm installing /var/cache/urpmi/rpms/php-curl-8.2.25-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-6.5.0-1.2.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-lgc-6.5.0-1.2.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-6.5.0-1.2.mga9.noarch.rpm /var/cache/urpmi/rpms/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm /var/cache/urpmi/rpms/php-posix-8.2.25-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm /var/cache/urpmi/rpms/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm /var/cache/urpmi/rpms/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm /var/cache/urpmi/rpms/php-ctype-8.2.25-1.mga9.x86_64.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-sans-fonts-6.5.0-1.2.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-mono-fonts-6.5.0-1.2.mga9.noarch.rpm /var/cache/urpmi/rpms/php-bcmath-8.2.25-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/php-mbstring-8.2.25-1.mga9.x86_64.rpm /var/cache/urpmi/rpms/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-serif-fonts-6.5.0-1.2.mga9.noarch.rpm /var/cache/urpmi/rpms/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm /var/cache/urpmi/rpms/php-gd-8.2.25-1.mga9.x86_64.rpm Preparing... ################################################################################################## 1/18: gnu-free-fonts-common ################################################################################################## 2/18: gnu-free-mono-fonts ################################################################################################## 3/18: gnu-free-sans-fonts ################################################################################################## 4/18: gnu-free-serif-fonts ################################################################################################## 5/18: php-gd ################################################################################################## 6/18: php-mbstring ################################################################################################## 7/18: php-bcmath ################################################################################################## 8/18: php-ctype ################################################################################################## 9/18: php-fedora-autoloader ################################################################################################## 10/18: fonts-ttf-dejavu-lgc ################################################################################################## 11/18: php-posix ################################################################################################## 12/18: php-curl ################################################################################################## 13/18: php-tcpdf ################################################################################################## 14/18: php-tcpdf-dejavu ################################################################################################## 15/18: php-tcpdf-dejavu-lgc ################################################################################################## 16/18: php-tcpdf-gnu-free-sans-fonts ################################################################################################## 17/18: php-tcpdf-gnu-free-mono-fonts ################################################################################################## 18/18: php-tcpdf-gnu-free-serif-fonts ################################################################################################## Repeat test Bug#33173 comment#2 Get same results Feel free to test POC, I pass
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
This package was pushed today but for some reason this bug wasn't automatically closed.
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXEDCC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0361.html