[pkg-php-pear] Bug#745619: dompdf: CVE-2014-2383: arbitrary file read

Henri Salo henri at nerv.fi
Wed Apr 23 12:09:02 UTC 2014 

Package: php-dompdf
Version: 0.6.0~beta3+dfsg0-1
Severity: normal
Tags: security, fixed-upstream

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/
https://github.com/dompdf/dompdf/releases

User is in risk if he/she has enabled DOMPDF_ENABLE_REMOTE in
dompdf_config.inc.php, which is not recommended:

271 /**
272  * Enable remote file access
273  *
274  * If this setting is set to true, DOMPDF will access remote sites for
275  * images and CSS files as required.
276  * This is required for part of test case www/test/image_variants.html through www/examples.php
277  *
278  * Attention!
279  * This can be a security risk, in particular in combination with DOMPDF_ENABLE_PHP and
280  * allowing remote access to dompdf.php or on allowing remote html code to be passed to
281  * $dompdf = new DOMPDF(); $dompdf->load_html(...);
282  * This allows anonymous users to download legally doubtful internet content which on
283  * tracing back appears to being downloaded by your server, or allows malicious php code
284  * in remote html pages to be executed by your server with your account privileges.
285  *
286  * @var bool
287  */
288 def("DOMPDF_ENABLE_REMOTE", false);

Fixed in 0.6.1 release. I reproduced this issue and the PDF output file did
include only 90 characters (no line breaks). Low priority issue.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php-dompdf depends on:
ii  fonts-dejavu  2.34-1
ii  php-font-lib  0~20120210+dfsg-1
ii  php5          5.5.11+dfsg-3
ii  php5-cli      5.5.11+dfsg-3
ii  sdop          0.80-1

php-dompdf recommends no packages.

Versions of packages php-dompdf suggests:
pn  php-tcpdf  <none>
ii  php5-cli   5.5.11+dfsg-3
pn  php5-gd    <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20140423/2b3d31b1/attachment.sig>

More information about the pkg-php-pear mailing list