Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

dompdf: CVE-2014-2383: arbitrary file read

Related Vulnerabilities: CVE-2014-2383   CVE-2014-2383  

Source

Debian Bug report logs - #745619
dompdf: CVE-2014-2383: arbitrary file read

version graph

Package: php-dompdf; Maintainer for php-dompdf is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>; Source for php-dompdf is src:php-dompdf (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Wed, 23 Apr 2014 12:12:02 UTC

Severity: normal

Tags: fixed-upstream, security

Found in version php-dompdf/0.6.0~beta3+dfsg0-1

Fixed in version 0.6.1+dfsg-1

Done: David Prévot <taffit@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#745619; Package php-dompdf. (Wed, 23 Apr 2014 12:12:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>. (Wed, 23 Apr 2014 12:12:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: dompdf: CVE-2014-2383: arbitrary file read
Date: Wed, 23 Apr 2014 15:09:02 +0300
[Message part 1 (text/plain, inline)]
Package: php-dompdf
Version: 0.6.0~beta3+dfsg0-1
Severity: normal
Tags: security, fixed-upstream

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
https://github.com/dompdf/dompdf/releases

User is in risk if he/she has enabled DOMPDF_ENABLE_REMOTE in
dompdf_config.inc.php, which is not recommended:

271 /**
272  * Enable remote file access
273  *
274  * If this setting is set to true, DOMPDF will access remote sites for
275  * images and CSS files as required.
276  * This is required for part of test case www/test/image_variants.html through www/examples.php
277  *
278  * Attention!
279  * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and
280  * allowing remote access to dompdf.php or on allowing remote html code to be passed to
281  * $dompdf = new DOMPDF(); $dompdf->load_html(...);
282  * This allows anonymous users to download legally doubtful internet content which on
283  * tracing back appears to being downloaded by your server, or allows malicious php code
284  * in remote html pages to be executed by your server with your account privileges.
285  *
286  * @var bool
287  */
288 def("DOMPDF_ENABLE_REMOTE", false);

Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
include only 90 characters (no line breaks). Low priority issue.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php-dompdf depends on:
ii  fonts-dejavu  2.34-1
ii  php-font-lib  0~20120210+dfsg-1
ii  php5          5.5.11+dfsg-3
ii  php5-cli      5.5.11+dfsg-3
ii  sdop          0.80-1

php-dompdf recommends no packages.

Versions of packages php-dompdf suggests:
pn  php-tcpdf  <none>
ii  php5-cli   5.5.11+dfsg-3
pn  php5-gd    <none>

-- no debconf information

[signature.asc (application/pgp-signature, inline)]

Reply sent to David Prévot <taffit@debian.org>:
You have taken responsibility. (Wed, 23 Apr 2014 21:54:10 GMT) (full text, mbox, link).

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Wed, 23 Apr 2014 21:54:10 GMT) (full text, mbox, link).

Message #10 received at 745619-done@bugs.debian.org (full text, mbox, reply):

From: David Prévot <taffit@debian.org>
To: Henri Salo <henri@nerv.fi>, 745619-done@bugs.debian.org
Subject: Re: Bug#745619: dompdf: CVE-2014-2383: arbitrary file read
Date: Wed, 23 Apr 2014 17:50:03 -0400
[Message part 1 (text/plain, inline)]
Version: 0.6.1+dfsg-1

On Wed, Apr 23, 2014 at 03:09:02PM +0300, Henri Salo wrote:
> Package: php-dompdf
[…]
> Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
> include only 90 characters (no line breaks). Low priority issue.

Thanks, since 0.6.1+dfsg-1 was already in experimental, I just uploaded
0.6.1+dfsg-2 to Sid.

Regards

David

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 27 May 2014 07:28:25 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:25:21 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started