[pkg-php-pear] Bug#1010090: closed by Adrian Bunk <bunk at debian.org> (Re: Bug#1010090: php-dompdf: CVE-2022-28368)

Salvatore Bonaccorso carnil at debian.org
Sun May 22 16:03:10 BST 2022

Hi Adrian,

On Sun, May 22, 2022 at 01:09:03PM +0000, Debian Bug Tracking System wrote:
> > Hi,
> > 
> > The following vulnerability was published for php-dompdf.
> > 
> > I raise this as grave to ask the following question as well from
> > future inclusion in bookworm: Is php-dompdf still maintained? I notice
> > that it's at version 0.6.2 since stretch with one single NMU from the
> > reproducible builds team. Or should it be removed from Debian?
> It is orphaned, and the maintainer of the reverse dependency has some
> interest in keeping it (see #978994).

Oh, in this case it is best if the reverse dependency maintainer picks
it acutually up. I agree there is noone to be forced, but I'm worried
that it's the same version back some releases, while there would be
several new upstream versions released in meanwhile which seem they
should be updated and enter bookworm accordingly.

> > CVE-2022-28368[0]:
> > | Dompdf 1.2.1 allows remote code execution via a .php file in the
> > | src:url field of an @font-face Cascading Style Sheets (CSS) statement
> > | (within an HTML input file).
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >...
> The vulnerability was introduced in 0.8.0, which is more recent than any 
> version currently in Debian:
> https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e

Thanks for triaging further the issue and updating the
security-tracker data!


More information about the pkg-php-pear mailing list