Hello, Thank you for reaching out to me. Do you have access to the salsa repository? I would like to have the collaboration pushed there. Sure it is best to extract the commit For another CVE maybe the one you are searching for: <https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5> is the ReDoS commit.
Also, do not backport the curl changes done to fix one of the CVEs, it would require the Dependency of php-curl. I can do more research when I am back to my workstation. But you emailed the right person, I monitor each commit pushed into tcpdf since some years. And yes, no POC to be found. Quite a shame, fixes come out of nowhere and are released as they are. -- William Desportes Le 16 mai 2025 20:13:21 GMT+02:00, "Santiago Ruano Rincón" <santiag...@riseup.net> a écrit : >Hello William, hello all, > >This is just a quick heads-up about my on-going work to prepare a >security update for tcpdf, and to avoid any double-work. > >Among the currently open CVEs [tcpdf], the most complex backport seems >to be CVE-2024-32489, since among the two referenced commits, the only >one that is actually part of the released code is a "squash [of] >multiple fixes" [82fc97b]. My plan is to isolate the changes relevant to >the fix. > >[tcpdf] https://security-tracker.debian.org/tracker/source-package/tcpdf >[CVE-2024-32489] https://security-tracker.debian.org/tracker/CVE-2024-32489 >[82fc97b] >https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262 > >Please, if you have any thoughts, questions, comments, ... don't >hesitate to speak up. > >Other than that, there is no PoC publicly available for most of the >CVEs, and I still need to see how difficult is to test those. > >Cheers, > > -- Santiago
