[pkg-php-pear] Bug#1064781: php-dompdf-svg-lib: CVE-2024-25117

Salvatore Bonaccorso carnil at debian.org
Sun Feb 25 20:21:38 GMT 2024


Source: php-dompdf-svg-lib
Version: 0.5.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for php-dompdf-svg-lib.

CVE-2024-25117[0]:
| php-svg-lib is a scalable vector graphics (SVG) file
| parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails
| to validate that font-family doesn't contain a PHAR url, which might
| leads to RCE on PHP < 8.0, and doesn't validate if external
| references are allowed. This might leads to bypass of restrictions
| or RCE on projects that are using it, if they do not strictly
| revalidate the fontName that is passed by php-svg-lib. The
| `Style::fromAttributes(`), or the `Style::parseCssStyle()` should
| check the content of the `font-family` and prevents it to use a PHAR
| url, to avoid passing an invalid and dangerous `fontName` value to
| other libraries. The same check as done in the
| `Style::fromStyleSheets` might be reused. Libraries using this
| library as a dependency might be vulnerable to some bypass of
| restrictions, or even remote code execution, if they do not double
| check the value of the `fontName` that is passed by php-svg-lib.
| Version 0.5.2 contains a fix for this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25117
    https://www.cve.org/CVERecord?id=CVE-2024-25117
[1] https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273
[2] https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa
[3] https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the pkg-php-pear mailing list