[pkg-php-pear] Bug#1058793: php-dompdf: CVE-2023-50262: Resource exhaustion caused by infinite recursion when validating SVG images

Salvatore Bonaccorso carnil at debian.org
Sat Dec 16 13:45:36 GMT 2023 

Source: php-dompdf
Version: 2.0.3+dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2.0.3+dfsg-1

Hi,

The following vulnerability was published for php-dompdf.

CVE-2023-50262[0]:
| Dompdf is an HTML to PDF converter for PHP. When parsing SVG images
| Dompdf performs an initial validation to ensure that paths within
| the SVG are allowed. One of the validations is that the SVG document
| does not reference itself. However, prior to version 2.0.4, a
| recursive chained using two or more SVG documents is not correctly
| validated. Depending on the system configuration and attack pattern
| this could exhaust the memory available to the executing process
| and/or to the server itself.  php-svg-lib, when run in isolation,
| does not support SVG references for `image` elements. However, when
| used in combination with Dompdf, php-svg-lib will process SVG images
| referenced by an `image` element. Dompdf currently includes
| validation to prevent self-referential `image` references, but a
| chained reference is not checked. A malicious actor may thus trigger
| infinite recursion by chaining references between two or more SVG
| images.  When Dompdf parses a malicious payload, it will crash due
| after exceeding the allowed execution time or memory usage. An
| attacker sending multiple request to a system can potentially cause
| resource exhaustion to the point that the system is unable to handle
| incoming request.  Version 2.0.4 contains a fix for this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-50262
    https://www.cve.org/CVERecord?id=CVE-2023-50262
[1] https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2
[2] https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-php-pear mailing list