Le vendredi 20 décembre 2024, 08:03:49 UTC Adrian Bunk a écrit : > Hi, > > could someone with more knowledge about PHP look at the following: > > https://security-tracker.debian.org/tracker/CVE-2024-22640 > https://github.com/zunak/CVE-2024-22640 > https://security-tracker.debian.org/tracker/CVE-2024-22641 > https://github.com/zunak/CVE-2024-22641 > > Changing the PoCs to > require_once('/usr/share/php/tcpdf/tcpdf.php');
> I cannot reproduce the issue in bookworm or jessie, > it just seems to work fine already without the fix. Redos is a timing issue, Did you test preg_last_error() after the last line ? > > Am I doing something stupid here, or is there some reason why we might > not be affected by these CVEs? Depends of the pcre library of the day and option https://www.php.net/manual/fr/pcre.configuration.php Redos are usually patched easilly so go ahead Bastien > > Thanks > Adrian > >
signature.asc
Description: This is a digitally signed message part.
