Debian Bug report logs -
#1058793
php-dompdf: CVE-2023-50262: Resource exhaustion caused by infinite recursion when validating SVG images
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 16 Dec 2023 13:48:01 UTC
Severity: important
Tags: security, upstream
Found in versions php-dompdf/2.0.3+dfsg-4, php-dompdf/2.0.3+dfsg-1
Fixed in version php-dompdf/2.0.4+dfsg-1
Done: William Desportes <williamdes@wdes.fr>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#1058793; Package src:php-dompdf.
(Sat, 16 Dec 2023 13:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Sat, 16 Dec 2023 13:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-dompdf
Version: 2.0.3+dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.0.3+dfsg-1
Hi,
The following vulnerability was published for php-dompdf.
CVE-2023-50262[0]:
| Dompdf is an HTML to PDF converter for PHP. When parsing SVG images
| Dompdf performs an initial validation to ensure that paths within
| the SVG are allowed. One of the validations is that the SVG document
| does not reference itself. However, prior to version 2.0.4, a
| recursive chained using two or more SVG documents is not correctly
| validated. Depending on the system configuration and attack pattern
| this could exhaust the memory available to the executing process
| and/or to the server itself. php-svg-lib, when run in isolation,
| does not support SVG references for `image` elements. However, when
| used in combination with Dompdf, php-svg-lib will process SVG images
| referenced by an `image` element. Dompdf currently includes
| validation to prevent self-referential `image` references, but a
| chained reference is not checked. A malicious actor may thus trigger
| infinite recursion by chaining references between two or more SVG
| images. When Dompdf parses a malicious payload, it will crash due
| after exceeding the allowed execution time or memory usage. An
| attacker sending multiple request to a system can potentially cause
| resource exhaustion to the point that the system is unable to handle
| incoming request. Version 2.0.4 contains a fix for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50262
https://www.cve.org/CVERecord?id=CVE-2023-50262
[1] https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2
[2] https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions php-dompdf/2.0.3+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 16 Dec 2023 13:48:03 GMT) (full text, mbox, link).
Reply sent
to William Desportes <williamdes@wdes.fr>:
You have taken responsibility.
(Sat, 16 Dec 2023 23:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 16 Dec 2023 23:24:03 GMT) (full text, mbox, link).
Message #12 received at 1058793-close@bugs.debian.org (full text, mbox, reply):
Source: php-dompdf
Source-Version: 2.0.4+dfsg-1
Done: William Desportes <williamdes@wdes.fr>
We believe that the bug you reported is fixed in the latest version of
php-dompdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1058793@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
William Desportes <williamdes@wdes.fr> (supplier of updated php-dompdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Dec 2023 23:41:34 +0100
Source: php-dompdf
Architecture: source
Version: 2.0.4+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: William Desportes <williamdes@wdes.fr>
Closes: 1058793
Changes:
php-dompdf (2.0.4+dfsg-1) unstable; urgency=medium
.
* New upstream version 2.0.4 (CVE-2023-50262) (Closes: #1058793)
* Update gbp.conf
Checksums-Sha1:
37ba8ccccd8ce2f2f62bebf681b2d79196a03963 2363 php-dompdf_2.0.4+dfsg-1.dsc
479302e596376f12c078639ab0870cc3bde5fc8d 1564856 php-dompdf_2.0.4+dfsg.orig.tar.xz
6e1ccb3347ceebb0eb4c1e07d8c9d3b2aa73719f 14020 php-dompdf_2.0.4+dfsg-1.debian.tar.xz
dfd61e6e4ab18d10109e2830e8c80710035c0050 11473 php-dompdf_2.0.4+dfsg-1_source.buildinfo
Checksums-Sha256:
76bc6827e7cccac022fb5f8dcb98bcf07999949140ace84f50b14d1daff6e176 2363 php-dompdf_2.0.4+dfsg-1.dsc
1b67559ba086126364f979afc399467dcff90849e3ce617f881ee4a75aec445c 1564856 php-dompdf_2.0.4+dfsg.orig.tar.xz
a2c69d03692b2d11a106625da0bcaa877012d605f741c91dc330e34993d8add5 14020 php-dompdf_2.0.4+dfsg-1.debian.tar.xz
b2fa0974e7751158e2cee368971b7e64200ab15c79707fdb6e7cad804cae4921 11473 php-dompdf_2.0.4+dfsg-1_source.buildinfo
Files:
cd69c321f818534b381b344594561301 2363 php optional php-dompdf_2.0.4+dfsg-1.dsc
c5364f4a4f1abd863b741bd278d58f0a 1564856 php optional php-dompdf_2.0.4+dfsg.orig.tar.xz
f9accc7486f698391a29fc574f1c8c2c 14020 php optional php-dompdf_2.0.4+dfsg-1.debian.tar.xz
7a02f9f0f7d2e24ae39722a9607dacb4 11473 php optional php-dompdf_2.0.4+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExNkf3872tKPGU/14kKDvG4JRqIkFAmV+K04ACgkQkKDvG4JR
qIkEfg//ZumfSBGZEek82czVVsfoA6uxC4hj1pQTrhSuHEfDbJBTVAfgBjnhu+A7
QwGs+yWHNQEk+0HWNwvxgrifDGvpsvdNmJvShHBsKtQJCJlyKbAHu1NAv1x015sK
dDJB5/v1YIU5T5kI/NGSXUGxEazBAhSzgZFnrIp8m8ocpx+5DdmtHXMMbrN9Us/+
b5vP676y1IqmYUW8qUx9gxMJKF3KjsfW9x/HMzM082a16hrVG001StWCXxSG42iD
GVuBnv49H67bi/lFRdCAfaB0bkOiaL6Ld/OQK75eQAMneanerZrZcLxIHAAeqQxD
VLIre1u8hAA03A/X6OHlmoXmnFnkqVozFaVzKlmNpXBhNrnnQOvXqgU+/9Zy/Xbz
FDWt0GWLpzhgD1Ho5ojSE/wUFzbO0aSnUNJroVd/b8mdPMY+Ut2+pEV6T46mzrMV
IocLSFikShZKk1OXHtyyt845N+Bobofj/SUkX7Q5VZBAIjZlkCHE4JV92tytW4/S
+hIO2vYm0kquU2uvalV/OzFhNGgSm86lBa8s9MyC8U76EudpKeWTOuGtcWNfmkr4
BopZmZ4AE4vNnPjoNRtMBjYoloCohCofsrGA/3NSzjY8wjqQI28IV30yg/j7bT4Y
4/ntRQmZ9rnVzx8H1MCdm2wWgs7MVw1DYXuVZt9NIBtIsF1C81A=
=JLMw
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Dec 17 08:18:33 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon