[pkg-php-pear] Bug#1015874: php-dompdf: CVE-2022-2400
Moritz Mühlenhoff
jmm at inutil.org
Fri Jul 22 21:55:28 BST 2022
Source: php-dompdf
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for php-dompdf.
CVE-2022-2400[0]:
| External Control of File Name or Path in GitHub repository
| dompdf/dompdf prior to 2.0.0.
https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a
The isolated patch is
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
but if php- dompdfis to be included in Bookworm, it should really
be updated to 2.0.0, otherwise the current version will be over
seven years old when Bookworm gets released.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-2400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2400
Please adjust the affected versions in the BTS as needed.
More information about the pkg-php-pear
mailing list