tcpdf: CVE-2017-6100: LFI posting internal files externally abusing default parameter

Debian Bug report logs - #814030
tcpdf: CVE-2017-6100: LFI posting internal files externally abusing default parameter

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Security flaw fixed in version 6.2.0

Date: Sun, 7 Feb 2016 14:28:04 -0400

[Message part 1 (text/plain, inline)]

Package: php-tcpdf
Version: 6.0.093+dfsg-1
Severity: serious
Tags: security upstream

According to their changelog [1], upstream fixed a security issue over a
year ago:

6.2.0 (2014-12-10)
	- Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed.

	1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT

The upstream bug report [2] is not public, so I don’t have much
information about the issue, the fix, nor it’s actual severity.

	2: https://sourceforge.net/p/tcpdf/bugs/1005/

Regards

David

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 814030@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>

To: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>, 814030@bugs.debian.org

Subject: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)

Date: Mon, 22 Feb 2016 23:33:58 -0400

[Message part 1 (text/plain, inline)]

Hi,

On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> Package: php-tcpdf
> Version: 6.0.093+dfsg-1
> Severity: serious
> Tags: security upstream
> 
> According to their changelog [1], upstream fixed a security issue over a
> year ago: […]

In order to bring php-tcpdf back in line with upstream, and to follow
more closely the PHP class packaging, I’d like to take the
opportunity of team maintaining it under the Debian PHP PEAR (and
Composer) Maintainers umbrella.

Unless someone objects, I intend to move forward as soon as I have some
time to spare on it.

Regards

David

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 814030@bugs.debian.org (full text, mbox, reply):

From: "Laurent Destailleur (aka Eldy)" <eldy@destailleur.fr>

To: David Prévot <taffit@debian.org>, 814030@bugs.debian.org

Subject: Re: Bug#814030: Intent to bring php-tcpdf in the Debian PHP PEAR (and Composer) Maintainers team (Was: Bug#814030: Security flaw fixed in version 6.2.0)

Date: Tue, 23 Feb 2016 11:54:24 +0100

[Message part 1 (text/plain, inline)]

Hi David.

I have sent to my mentor (Raphael Hertzog), a commit with the new upstream
6.2.12 updated, of TCPDF.

If you plan/want to move package maintenance into Debian PHP PEAR umbrella,
why not. What will be the benefit and impact ?

2016-02-23 4:33 GMT+01:00 David Prévot <taffit@debian.org>:

> Hi,
>
> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> > Package: php-tcpdf
> > Version: 6.0.093+dfsg-1
> > Severity: serious
> > Tags: security upstream
> >
> > According to their changelog [1], upstream fixed a security issue over a
> > year ago: […]
>
> In order to bring php-tcpdf back in line with upstream, and to follow
> more closely the PHP class packaging, I’d like to take the
> opportunity of team maintaining it under the Debian PHP PEAR (and
> Composer) Maintainers umbrella.
>
> Unless someone objects, I intend to move forward as soon as I have some
> time to spare on it.
>
> Regards
>
> David
>



-- 
EMail: eldy@destailleur.fr
Web: http://www.destailleur.fr
------------------------------------------------------------------------------------
Google+: https://plus.google.com/+LaurentDestailleur/
Facebook: https://www.facebook.com/Destailleur.Laurent
Twitter: http://www.twitter.com/eldy10
------------------------------------------------------------------------------------
* Dolibarr (Project leader): http://www.dolibarr.org (make a donation for
Dolibarr project via Paypal: contact@destailleur.fr)
* AWStats (Author) : http://awstats.sourceforge.net (make a donation for
AWStats project via Paypal: contact@destailleur.fr)
* AWBot (Author) : http://awbot.sourceforge.net
* CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

[Message part 2 (text/html, inline)]

Message #20 received at 814030-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: 814030-done@bugs.debian.org, 785212-done@bugs.debian.org, 780051-done@bugs.debian.org

Subject: Closing bugs fixed in php-tcpdf

Date: Sun, 28 Feb 2016 20:41:49 +0100

Version: 6.2.12+dfsg-1

I just uploaded a new upstream version that should have closed those bugs but
did not close them because we had to repack (and I forgot the pass the
-v6.0.093+dfsg-1 flag when building):


tcpdf (6.2.12+dfsg2-1) unstable; urgency=medium

  * New upstream version 6.2.12 modified with free version of sRGB.icc. 
    This solve lintian error.

 -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net>  Sat, 27 Feb 2016 19:35:45 +0100

tcpdf (6.2.12+dfsg-1) unstable; urgency=medium

  * New upstream version 6.2.12 (Closes: #814030, #785212)
  * Update license files for qrcodes.php file (Closes: #780051)

 -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net>  Tue, 23 Feb 2016 10:35:45 +0100


-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #25 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: David Prévot <taffit@debian.org>

Cc: 814030@bugs.debian.org

Subject: Re: Security flaw fixed in version 6.2.0

Date: Sun, 27 Mar 2016 13:33:01 +0200

On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> Package: php-tcpdf
> Version: 6.0.093+dfsg-1
> Severity: serious
> Tags: security upstream
> 
> According to their changelog [1], upstream fixed a security issue over a
> year ago:
> 
> 6.2.0 (2014-12-10)
> 	- Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed.
> 
> 	1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT
> 
> The upstream bug report [2] is not public, so I don’t have much
> information about the issue, the fix, nor it’s actual severity.
> 
> 	2: https://sourceforge.net/p/tcpdf/bugs/1005/

Can you contact upstream for information on this security bug? I have
no idea what that could possibly mean.

Cheers,
        Moritz

Message #34 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org

Cc: David Prévot <taffit@debian.org>

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Thu, 5 Jan 2017 08:42:14 +0100

Hi David,

On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote:
> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> > Package: php-tcpdf
> > Version: 6.0.093+dfsg-1
> > Severity: serious
> > Tags: security upstream
> > 
> > According to their changelog [1], upstream fixed a security issue over a
> > year ago:
> > 
> > 6.2.0 (2014-12-10)
> > 	- Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed.
> > 
> > 	1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT
> > 
> > The upstream bug report [2] is not public, so I don’t have much
> > information about the issue, the fix, nor it’s actual severity.
> > 
> > 	2: https://sourceforge.net/p/tcpdf/bugs/1005/
> 
> Can you contact upstream for information on this security bug? I have
> no idea what that could possibly mean.

Did you got any information on that from upstream? The bug is stil
closed, so does not really help.

Regards,
Salvatore

Message #39 received at 814030@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>, Raphael Hertzog <hertzog@debian.org>

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Wed, 4 Jan 2017 22:26:21 -1000

[Message part 1 (text/plain, inline)]

Hi,

I just add maintainer and uploader to the loop. Hopefully, they should
know something about the package/code/issue.

Le 04/01/2017 à 21:42, Salvatore Bonaccorso a écrit :

> On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote:
>> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
>>> Package: php-tcpdf
>>> Version: 6.0.093+dfsg-1
>>> Severity: serious
>>> Tags: security upstream
>>>
>>> According to their changelog [1], upstream fixed a security issue over a
>>> year ago:
>>>
>>> 6.2.0 (2014-12-10)
>>> 	- Bug #1005 "Security Report, LFI posting internal files externally abusing default parameter" was fixed.
>>>
>>> 	1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT
>>>
>>> The upstream bug report [2] is not public, so I don’t have much
>>> information about the issue, the fix, nor it’s actual severity.
>>>
>>> 	2: https://sourceforge.net/p/tcpdf/bugs/1005/
>>
>> Can you contact upstream for information on this security bug? I have
>> no idea what that could possibly mean.
> 
> Did you got any information on that from upstream? The bug is stil
> closed, so does not really help.
> 
> Regards,
> Salvatore

[signature.asc (application/pgp-signature, attachment)]

Message #44 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: David Prévot <taffit@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>, info@tecnick.com

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Thu, 5 Jan 2017 11:07:08 +0100

Hi,

CCing upstream author for confirmation. Nicola we are trying to understand
what security fix went into tcpdf 6.2.0. The bug is private on
sourceforge, could you make it public now?

For more details see: https://bugs.debian.org/814030

On Wed, 04 Jan 2017, David Prévot wrote:
> >> Can you contact upstream for information on this security bug? I have
> >> no idea what that could possibly mean.
> > 
> > Did you got any information on that from upstream? The bug is stil
> > closed, so does not really help.

I did not contact upstream but looking at the changes in that version:
https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/tcpdf.php?diff=3d5921442e7adde1ce225104118bc246a1933c65
https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_fonts.php?diff=3d5921442e7adde1ce225104118bc246a1933c65
https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_static.php?diff=3d5921442e7adde1ce225104118bc246a1933c65

I see calls to fopen() being replaced by TCPDF_STATIC::fopenLocal() which
does ensure that we pass only "file://" URL or which add this prefix
if there's no "://" in the string.

So I guess that this issue is related to this. All the fopen() calls are
for files to which we write so I guess that we can possibly inject
"ftp://" URL in some parameters and get some local files sent to a remote
location.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #49 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: David Prévot <taffit@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Mon, 9 Jan 2017 21:39:30 +0100

Hi everybody,

On Thu, 05 Jan 2017, Raphael Hertzog wrote:
> CCing upstream author for confirmation. Nicola we are trying to understand
> what security fix went into tcpdf 6.2.0. The bug is private on
> sourceforge, could you make it public now?

The upstream bug is now public:
https://sourceforge.net/p/tcpdf/bugs/1005/

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #56 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: David Prévot <taffit@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Sat, 14 Jan 2017 22:44:53 +0100

On Mon, Jan 09, 2017 at 09:39:30PM +0100, Raphael Hertzog wrote:
> Hi everybody,
> 
> On Thu, 05 Jan 2017, Raphael Hertzog wrote:
> > CCing upstream author for confirmation. Nicola we are trying to understand
> > what security fix went into tcpdf 6.2.0. The bug is private on
> > sourceforge, could you make it public now?
> 
> The upstream bug is now public:
> https://sourceforge.net/p/tcpdf/bugs/1005/

Since K_TCPDF_CALLS_IN_HTML defaults to jessie, we should fix this in jessie.

Could someone of the maintainers prepare an update?

Cheers,
        Moritz

Message #61 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 814030@bugs.debian.org

Cc: David Prévot <taffit@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>, info@tecnick.com

Subject: Re: Bug#814030: Security flaw fixed in version 6.2.0

Date: Sun, 19 Feb 2017 17:40:28 +0100

Control: retitle -1 tcpdf: CVE-2017-6100: LFI posting internal files externally abusing default parameter

Hi,

On Mon, Jan 09, 2017 at 09:39:30PM +0100, Raphael Hertzog wrote:
> On Thu, 05 Jan 2017, Raphael Hertzog wrote:
> > CCing upstream author for confirmation. Nicola we are trying to understand
> > what security fix went into tcpdf 6.2.0. The bug is private on
> > sourceforge, could you make it public now?
> 
> The upstream bug is now public:
> https://sourceforge.net/p/tcpdf/bugs/1005/

FTR, this has been assigned CVE-2017-6100 (yes the 2017 CVE id is a
bit strange given the bug is older).

Moritz asked later on if one of the maintainers can prepare an update
for jessie, what is the status? Is any work in progress yet?

Regards,
Salvatore

Message #68 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Cc: David Prévot <taffit@debian.org>, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>

Subject: Re: Bug#814030: CVE-2017-6100: Security flaw fixed in version 6.2.0

Date: Tue, 18 Apr 2017 17:04:15 +0200

Hello everybody,

On Sat, 14 Jan 2017, Moritz Mühlenhoff wrote:
> > The upstream bug is now public:
> > https://sourceforge.net/p/tcpdf/bugs/1005/
> 
> Since K_TCPDF_CALLS_IN_HTML defaults to true in jessie, we should fix
> this in jessie.
> 
> Could someone of the maintainers prepare an update?

Laurent prepared an update in git a while ago:
https://anonscm.debian.org/cgit/collab-maint/tcpdf.git/log/?h=jessie

Patch here:
https://anonscm.debian.org/cgit/collab-maint/tcpdf.git/commit/?h=jessie&id=7242bd1072bae9e4126c0003d257b8cd097dc6aa

Moritz/Salvatore, do you want this in jessie-proposed-updates or in
jessie-security?

Laurent, did you test the updated package against any reverse
dependency like pypmyadmin or dolibarr?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #73 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 814030@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, David Prévot <taffit@debian.org>, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>

Subject: Re: Bug#814030: CVE-2017-6100: Security flaw fixed in version 6.2.0

Date: Tue, 18 Apr 2017 18:54:59 +0200

On Tue, Apr 18, 2017 at 05:04:15PM +0200, Raphael Hertzog wrote:
> Hello everybody,
> 
> On Sat, 14 Jan 2017, Moritz Mühlenhoff wrote:
> > > The upstream bug is now public:
> > > https://sourceforge.net/p/tcpdf/bugs/1005/
> > 
> > Since K_TCPDF_CALLS_IN_HTML defaults to true in jessie, we should fix
> > this in jessie.
> > 
> > Could someone of the maintainers prepare an update?
> 
> Laurent prepared an update in git a while ago:
> https://anonscm.debian.org/cgit/collab-maint/tcpdf.git/log/?h=jessie
> 
> Patch here:
> https://anonscm.debian.org/cgit/collab-maint/tcpdf.git/commit/?h=jessie&id=7242bd1072bae9e4126c0003d257b8cd097dc6aa
> 
> Moritz/Salvatore, do you want this in jessie-proposed-updates or in
> jessie-security?

Please fix these via the upcoming jessie point update.

Thanks,
        Moritz

Message #78 received at 814030@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 814030@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, David Prévot <taffit@debian.org>, "Laurent Destailleur (eldy)" <eldy@users.sourceforge.net>

Subject: Re: Bug#814030: CVE-2017-6100: Security flaw fixed in version 6.2.0

Date: Wed, 19 Apr 2017 18:42:51 +0200

On Tue, 18 Apr 2017, Moritz Mühlenhoff wrote:
> > Moritz/Salvatore, do you want this in jessie-proposed-updates or in
> > jessie-security?
> 
> Please fix these via the upcoming jessie point update.

Ok.

Laurent, can you file a bug against "release.debian.org" to ask for
permission to upload a stable update ? (usertag "jessie-pu")

You will have to attach a debdiff between the current version in stable
and the one that you propose to upload. Please do that quickly as the
delay before the next point release is rather short (cf
https://lists.debian.org/debian-live/2017/04/msg00003.html).

And let me know when you got the ack so that I can do the actual upload.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #83 received at 814030-close@bugs.debian.org (full text, mbox, reply):

From: Laurent Destailleur (eldy) <eldy@users.sourceforge.net>

To: 814030-close@bugs.debian.org

Subject: Bug#814030: fixed in tcpdf 6.0.093+dfsg-1+deb8u1

Date: Fri, 30 Jun 2017 02:47:37 +0000

Source: tcpdf
Source-Version: 6.0.093+dfsg-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
tcpdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 814030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Destailleur (eldy) <eldy@users.sourceforge.net> (supplier of updated tcpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Feb 2017 11:43:27 +0100
Source: tcpdf
Binary: php-tcpdf
Architecture: source all
Version: 6.0.093+dfsg-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Laurent Destailleur (eldy) <eldy@users.sourceforge.net>
Changed-By: Laurent Destailleur (eldy) <eldy@users.sourceforge.net>
Description:
 php-tcpdf  - PHP class for generating PDF files on-the-fly
Closes: 814030
Changes:
 tcpdf (6.0.093+dfsg-1+deb8u1) jessie; urgency=medium
 .
   * Fix CVE-2017-6100 by disallowing tcpdf calls in HTML (Closes: #814030)
Checksums-Sha1:
 a6930c409dd9a78065fcbc0ac5a71550b3ba9650 1643 tcpdf_6.0.093+dfsg-1+deb8u1.dsc
 e5176c78068b35c3c8865f2e0abab7cdcb9836b8 5812 tcpdf_6.0.093+dfsg-1+deb8u1.debian.tar.xz
 7d095e222a6cd9654eb3fea805c1e153c479dcdd 7883660 php-tcpdf_6.0.093+dfsg-1+deb8u1_all.deb
Checksums-Sha256:
 f6a2dbca8291a1beedbefc54b95be7d3e28e9ab263a7e88611d7c9657ef5ecbd 1643 tcpdf_6.0.093+dfsg-1+deb8u1.dsc
 007ed4d6858a39e392c67059ecc6d955a3f0fc15789ab64eddb2063750ebc1e2 5812 tcpdf_6.0.093+dfsg-1+deb8u1.debian.tar.xz
 d755700abc9b7e22a3aa6fc8becd2f9339cd0eb2dc7120b8563f5142f7ff36e1 7883660 php-tcpdf_6.0.093+dfsg-1+deb8u1_all.deb
Files:
 4cdbf4767ebe9361eb6275a4037c4d19 1643 php optional tcpdf_6.0.093+dfsg-1+deb8u1.dsc
 7e0a9d770e20c0d58e4bba2f7f45d357 5812 php optional tcpdf_6.0.093+dfsg-1+deb8u1.debian.tar.xz
 f980202c033e796aa448cd533e8b1f87 7883660 php optional php-tcpdf_6.0.093+dfsg-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog

iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAllU8l0ACgkQA4gdq+vC
mrkkMAf/b1QNfqOY65VGfwARc45yOsKOW0PWOiX19jkipzfQcyrG56sqKXFTKJx9
TR412lCpXIPVyXwz17tiWOgM0gcH06YFbumWaEKgFWE5frHMX5QF+AGIuhhHQIq6
O6wkSjmW3/1JvC4xCr7DMqO22pjdhkFyHF+Y5mmwx1atQmywQDkt6NEMu1NF87Jg
ZP04Hz/jZ3gRCsIdLCjNIHxHdrWR/TCG+lA1PzUpHgpmQNFQseTjOGnrDovWgtPs
wWi6ggjJBc0AR6lzBuD5+AR6YgjDd8vokJi93pMEOjPgEU25GJ9WJToa/1Kf8cfr
xyTduVFrU9v5XzgkGcmC0RPI4e5J3g==
=qYWq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.