Debian Bug report logs -
#745619
dompdf: CVE-2014-2383: arbitrary file read
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 23 Apr 2014 12:12:02 UTC
Severity: normal
Tags: fixed-upstream, security
Found in version php-dompdf/0.6.0~beta3+dfsg0-1
Fixed in version 0.6.1+dfsg-1
Done: David Prévot <taffit@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
:
Bug#745619
; Package php-dompdf
.
(Wed, 23 Apr 2014 12:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
.
(Wed, 23 Apr 2014 12:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php-dompdf
Version: 0.6.0~beta3+dfsg0-1
Severity: normal
Tags: security, fixed-upstream
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
https://github.com/dompdf/dompdf/releases
User is in risk if he/she has enabled DOMPDF_ENABLE_REMOTE in
dompdf_config.inc.php, which is not recommended:
271 /**
272 * Enable remote file access
273 *
274 * If this setting is set to true, DOMPDF will access remote sites for
275 * images and CSS files as required.
276 * This is required for part of test case www/test/image_variants.html through www/examples.php
277 *
278 * Attention!
279 * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and
280 * allowing remote access to dompdf.php or on allowing remote html code to be passed to
281 * $dompdf = new DOMPDF(); $dompdf->load_html(...);
282 * This allows anonymous users to download legally doubtful internet content which on
283 * tracing back appears to being downloaded by your server, or allows malicious php code
284 * in remote html pages to be executed by your server with your account privileges.
285 *
286 * @var bool
287 */
288 def("DOMPDF_ENABLE_REMOTE", false);
Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
include only 90 characters (no line breaks). Low priority issue.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php-dompdf depends on:
ii fonts-dejavu 2.34-1
ii php-font-lib 0~20120210+dfsg-1
ii php5 5.5.11+dfsg-3
ii php5-cli 5.5.11+dfsg-3
ii sdop 0.80-1
php-dompdf recommends no packages.
Versions of packages php-dompdf suggests:
pn php-tcpdf <none>
ii php5-cli 5.5.11+dfsg-3
pn php5-gd <none>
-- no debconf information
[signature.asc (application/pgp-signature, inline)]
Reply sent
to David Prévot <taffit@debian.org>
:
You have taken responsibility.
(Wed, 23 Apr 2014 21:54:10 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Wed, 23 Apr 2014 21:54:10 GMT) (full text, mbox, link).
Message #10 received at 745619-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.6.1+dfsg-1
On Wed, Apr 23, 2014 at 03:09:02PM +0300, Henri Salo wrote:
> Package: php-dompdf
[…]
> Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
> include only 90 characters (no line breaks). Low priority issue.
Thanks, since 0.6.1+dfsg-1 was already in experimental, I just uploaded
0.6.1+dfsg-2 to Sid.
Regards
David
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 27 May 2014 07:28:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.