33898 – php-tcpdf new security issues CVE-2024-56519 and CVE-2024-5652[127]

Bug 33898 - php-tcpdf new security issues CVE-2024-56519 and CVE-2024-5652[127]

Summary: php-tcpdf new security issues CVE-2024-56519 and CVE-2024-5652[127]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-01-08 15:51 CET by Nicolas Salguero
Modified:	2025-02-12 22:32 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	php-tcpdf-6.5.0-1.2.mga9.src.rpm
CVE:	CVE-2024-56519, CVE-2024-56521, CVE-2024-56522, CVE-2024-56527
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-08 15:51:55 CET

Fedora has issued an advisory on January 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZX3ABLKKEVGN4M4BBUJFPBNWW5SHP7J3/

Fixes (included in version 6.8.0):
https://github.com/tecnickcom/TCPDF/commit/c9f41cbb84880bdb4fc3e0a9d287214d1ac4d7f4 (CVE-2024-56519)
https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89 (CVE-2024-56522)
https://github.com/tecnickcom/TCPDF/commit/aab43ab0a824e956276141a28a24c7c0be20f554 (CVE-2024-56521)
https://github.com/tecnickcom/TCPDF/commit/11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1 (CVE-2024-56527)

Nicolas Salguero 2025-01-08 15:52:55 CET

Status comment: (none) => Fixed upstream in 6.8.0 and patches available from upstream
Source RPM: (none) => php-tcpdf-6.7.7-1.mga10.src.rpm, php-tcpdf-6.5.0-1.2.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-56519, CVE-2024-56521, CVE-2024-56522, CVE-2024-56527

Comment 1 Lewis Smith 2025-01-09 20:10:12 CET

Thank you for all the details.
Assigning to PHP maintainers.

Assignee: bugsquad => php

Comment 2 Nicolas Salguero 2025-01-10 11:11:00 CET

Fixed for Cauldron.

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Source RPM: php-tcpdf-6.7.7-1.mga10.src.rpm, php-tcpdf-6.5.0-1.2.mga9.src.rpm => php-tcpdf-6.5.0-1.2.mga9.src.rpm

Comment 3 Nicolas Salguero 2025-02-12 14:47:52 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. (CVE-2024-56519)

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. (CVE-2024-56521)

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes. (CVE-2024-56522)

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message. (CVE-2024-56527)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZX3ABLKKEVGN4M4BBUJFPBNWW5SHP7J3/
========================

Updated packages in core/updates_testing:
========================
php-tcpdf-6.5.0-1.3.mga9
php-tcpdf-dejavu-6.5.0-1.3.mga9
php-tcpdf-dejavu-lgc-6.5.0-1.3.mga9
php-tcpdf-gnu-free-mono-fonts-6.5.0-1.3.mga9
php-tcpdf-gnu-free-sans-fonts-6.5.0-1.3.mga9
php-tcpdf-gnu-free-serif-fonts-6.5.0-1.3.mga9

from SRPM:
php-tcpdf-6.5.0-1.3.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: php => qa-bugs
Status comment: Fixed upstream in 6.8.0 and patches available from upstream => (none)

katnatek 2025-02-12 17:56:16 CET

Keywords: (none) => advisory

Comment 4 katnatek 2025-02-12 18:30:18 CET

LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  fonts-ttf-dejavu-lgc           2.37         4.mga9        noarch  
  gnu-free-fonts-common          20120503     11.mga9       noarch  
  gnu-free-mono-fonts            20120503     11.mga9       noarch  
  gnu-free-sans-fonts            20120503     11.mga9       noarch  
  gnu-free-serif-fonts           20120503     11.mga9       noarch  
  php-fedora-autoloader          1.0.1        2.mga9        noarch  
(medium "Core Updates (distrib3)")
  php-bcmath                     8.2.27       1.mga9        x86_64  
  php-ctype                      8.2.27       1.mga9        x86_64  
  php-curl                       8.2.27       1.mga9        x86_64  
  php-gd                         8.2.27       1.mga9        x86_64  
  php-mbstring                   8.2.27       1.mga9        x86_64  
  php-posix                      8.2.27       1.mga9        x86_64  
(command line)
  php-tcpdf                      6.5.0        1.3.mga9      noarch  
  php-tcpdf-dejavu               6.5.0        1.3.mga9      noarch  
  php-tcpdf-dejavu-lgc           6.5.0        1.3.mga9      noarch  
  php-tcpdf-gnu-free-mono-fonts  6.5.0        1.3.mga9      noarch  
  php-tcpdf-gnu-free-sans-fonts  6.5.0        1.3.mga9      noarch  
  php-tcpdf-gnu-free-serif-fonts 6.5.0        1.3.mga9      noarch  
33MB of additional disk space will be used.
8.2MB of packages will be retrieved.
Proceed with the installation of the 18 packages? (Y/n) y


    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm    
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm  
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-posix-8.2.27-1.mga9.x86_64.rpm             
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-ctype-8.2.27-1.mga9.x86_64.rpm             
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-gd-8.2.27-1.mga9.x86_64.rpm                
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-curl-8.2.27-1.mga9.x86_64.rpm              
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-bcmath-8.2.27-1.mga9.x86_64.rpm            
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/updates/php-mbstring-8.2.27-1.mga9.x86_64.rpm          
installing /home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-serif-fonts-6.5.0-1.3.mga9.noarch.rpm                                
/var/cache/urpmi/rpms/php-curl-8.2.27-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-6.5.0-1.3.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-mbstring-8.2.27-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/gnu-free-fonts-common-20120503-11.mga9.noarch.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-6.5.0-1.3.mga9.noarch.rpm
/var/cache/urpmi/rpms/fonts-ttf-dejavu-lgc-2.37-4.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-fedora-autoloader-1.0.1-2.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-posix-8.2.27-1.mga9.x86_64.rpm
/var/cache/urpmi/rpms/gnu-free-serif-fonts-20120503-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-bcmath-8.2.27-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-sans-fonts-6.5.0-1.3.mga9.noarch.rpm
/var/cache/urpmi/rpms/gnu-free-mono-fonts-20120503-11.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-gd-8.2.27-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-dejavu-lgc-6.5.0-1.3.mga9.noarch.rpm
/var/cache/urpmi/rpms/php-ctype-8.2.27-1.mga9.x86_64.rpm
/home/katnatek/qa-testing/x86_64/php-tcpdf-gnu-free-mono-fonts-6.5.0-1.3.mga9.noarch.rpm
/var/cache/urpmi/rpms/gnu-free-sans-fonts-20120503-11.mga9.noarch.rpm
Preparing...                     ##################################################################################################
     1/18: gnu-free-fonts-common ##################################################################################################
     2/18: gnu-free-serif-fonts  ##################################################################################################
     3/18: gnu-free-mono-fonts   ##################################################################################################
     4/18: gnu-free-sans-fonts   ##################################################################################################
     5/18: php-ctype             ##################################################################################################
     6/18: php-fedora-autoloader ##################################################################################################
     7/18: php-gd                ##################################################################################################
     8/18: php-bcmath            ##################################################################################################
     9/18: php-posix             ##################################################################################################
    10/18: fonts-ttf-dejavu-lgc  ##################################################################################################
    11/18: php-mbstring          ##################################################################################################
    12/18: php-curl              ##################################################################################################
    13/18: php-tcpdf             ##################################################################################################
    14/18: php-tcpdf-gnu-free-serif-fonts
                                 ##################################################################################################
    15/18: php-tcpdf-dejavu      ##################################################################################################
    16/18: php-tcpdf-gnu-free-sans-fonts
                                 ##################################################################################################
    17/18: php-tcpdf-dejavu-lgc  ##################################################################################################
    18/18: php-tcpdf-gnu-free-mono-fonts
                                 ##################################################################################################

Reference bug#33173 comment#2

php /usr/share/doc/php-tcpdf/examples/example_001.php > test.pdf
Generates the test.pdf file with the expected images and text

php /usr/share/doc/php-tcpdf/examples/example_002.php > test-002.pdf
Generates the test.pdf file with the expected text

Not found POCs to test

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2025-02-12 20:02:03 CET

Validatiing.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2025-02-12 22:32:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0059.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.