Debian Bug report logs -
#908866
tcpdf: CVE-2018-17057
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 15 Sep 2018 09:45:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version tcpdf/6.2.13+dfsg-1
Fixed in version tcpdf/6.2.26+dfsg-1
Done: Emanuele Rocca <ema@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#908866; Package src:tcpdf.
(Sat, 15 Sep 2018 09:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian QA Group <packages@qa.debian.org>.
(Sat, 15 Sep 2018 09:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tcpdf
Version: 6.2.13+dfsg-1
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for tcpdf.
CVE-2018-17057[0]:
| An issue was discovered in TCPDF before 6.2.22. Attackers can trigger
| deserialization of arbitrary data via the phar:// wrapper.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17057
[1] https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
No longer marked as found in versions tcpdf/6.2.13+dfsg-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 20 Oct 2018 16:30:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 20 Oct 2018 16:30:06 GMT) (full text, mbox, link).
Removed tag(s) patch.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 20 Oct 2018 16:30:07 GMT) (full text, mbox, link).
Marked as found in versions tcpdf/6.2.13+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 20 Oct 2018 18:51:05 GMT) (full text, mbox, link).
Added indication that bug 908866 blocks 915470
Request was from Adrian Bunk <bunk@debian.org>
to submit@bugs.debian.org.
(Mon, 03 Dec 2018 22:42:05 GMT) (full text, mbox, link).
Added indication that bug 908866 blocks 915473
Request was from Adrian Bunk <bunk@debian.org>
to submit@bugs.debian.org.
(Mon, 03 Dec 2018 22:51:06 GMT) (full text, mbox, link).
Reply sent
to Emanuele Rocca <ema@debian.org>:
You have taken responsibility.
(Mon, 25 Feb 2019 22:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Feb 2019 22:09:03 GMT) (full text, mbox, link).
Message #22 received at 908866-close@bugs.debian.org (full text, mbox, reply):
Source: tcpdf
Source-Version: 6.2.26+dfsg-1
We believe that the bug you reported is fixed in the latest version of
tcpdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 908866@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emanuele Rocca <ema@debian.org> (supplier of updated tcpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 Feb 2019 22:23:26 +0100
Source: tcpdf
Binary: php-tcpdf
Architecture: source all
Version: 6.2.26+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Emanuele Rocca <ema@debian.org>
Description:
php-tcpdf - PHP class for generating PDF files on-the-fly
Closes: 908866
Changes:
tcpdf (6.2.26+dfsg-1) unstable; urgency=medium
.
[ Emanuele Rocca ]
* QA upload
* New upstream release (Closes: #908866, CVE-2018-17057)
.
[ Jelmer Vernooij ]
* Use secure copyright file specification URI.
* Trim trailing whitespace.
.
[ Ondřej Nový ]
* d/rules: Remove trailing whitespaces
* d/watch: Use https protocol
Checksums-Sha1:
85ac1d1bb4bd7d8ef676a102f438e4823f95ac3d 1852 tcpdf_6.2.26+dfsg-1.dsc
95f1963a36c0c321f28873ea4af39a7ea291ef7a 10777849 tcpdf_6.2.26+dfsg.orig.tar.gz
b86c6c73dc28e70cd67ca05daa4ca9eb2da9ed55 5812 tcpdf_6.2.26+dfsg-1.debian.tar.xz
24f01c66658da865a7da3c9ed83071559ba3818f 7830892 php-tcpdf_6.2.26+dfsg-1_all.deb
7907e6f369cb88554bfca4d57b633d6adade6ce1 5323 tcpdf_6.2.26+dfsg-1_amd64.buildinfo
Checksums-Sha256:
37a42ab41190f1092821941491a01ba8b9115af767b367366b9b992789cd3d82 1852 tcpdf_6.2.26+dfsg-1.dsc
14da284ddf8db4730ff0e4769c506f42cba3e25e7501e0e72ac8b63439815f09 10777849 tcpdf_6.2.26+dfsg.orig.tar.gz
8f20516ae7a613957d394315709bb23ba0ada5a8cdfc313cc7061118220f71ec 5812 tcpdf_6.2.26+dfsg-1.debian.tar.xz
4ca5302277c5927f234906e81d7a5c187354e82d4dd0155e764309a189f0dd01 7830892 php-tcpdf_6.2.26+dfsg-1_all.deb
b7d354fe60873b4da63a9c0a3fb8b0a7f6ff14bf89b4c4961fb40f5204782d49 5323 tcpdf_6.2.26+dfsg-1_amd64.buildinfo
Files:
e3d0c6ae853c1407c44fee065e54003d 1852 php optional tcpdf_6.2.26+dfsg-1.dsc
239ed6e7e4bc086e8baec9b4f25c33dc 10777849 php optional tcpdf_6.2.26+dfsg.orig.tar.gz
4eef11dd355783c6a07888f2d977e733 5812 php optional tcpdf_6.2.26+dfsg-1.debian.tar.xz
cc1d13c71efb1fb3211ffba830949bba 7830892 php optional php-tcpdf_6.2.26+dfsg-1_all.deb
a96f6d590eff3755e4528ba2583902d9 5323 php optional tcpdf_6.2.26+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEElUWWlhkoHBf/rFiR1QhaB1D9t6MFAlx0YCcPHGVtYUBkZWJp
YW4ub3JnAAoJENUIWgdQ/bejCUMQAIo2x3zbL7JeNee/DUMe4MWNgj/PBKCgsQUe
8BwZ7F+eLHEsltV7zaPvui2zLjkFW0AADYT5ZGBhAeIaMiEX8ruvJIcfG/mT9zMT
YGrPcJjpZh52EihOwp/W517OV3fIU6HMsNkfUj+LNAFUFyjAnbcIpBsA8scHzZA4
RW+eNZI2LHYJ8IGJt5jzq/kkgtojb1wx11mr4GRFBfaMrxfPi82U4imo4K++ljKT
FABb9vfIudy2qKwdS3y5I7pGzIDZyITkYRKdP1sNVv+3RJLga/kx8hWA4oBXcbsh
+HR5gOqBmEWrJuM49MhoNw5euzVt89eyJR+CRTxM3MxHNa9U7KTp75RJvv+XO7Wg
/gCq1LfKXVgQmdgkbK/ljnf44E4OgmGtSZgDlNAsn3nx3q76fDnHY9mL1apsShxJ
BNmSXMfBW6nJf3JQDkQb7mnom5NB8GGe4+o6h8fmehqUdOEYY/Xb0lU2WG+qd4lW
CHV7i4N8eDej/1sVk6UmAucrAtXAqn+pChlPp5hpnwGsNeCTMWyXBFSIpjPu1hr0
aX+EXRxkuWFI2mAjlIB6pvWiVKwZ1Rl4WLFP2YomBltyTb80rlmL7KBrjwvVUmBI
8U7FDDHObH8gRENx/2gHP0byLMDcSjBi4Q3zF8O7uIZKfAfzMg+7qFc+Gt3H28AA
fsfHTOfU
=AEs6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Mar 2019 07:29:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon