[pkg-php-pear] Bug#1124537: bookworm-pu: package php-dompdf/2.0.3+dfsg-1+deb12u1
Abhijith PA
abhijith at debian.org
Fri Jan 2 16:41:46 GMT 2026
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-dompdf at packages.debian.org
Control: affects -1 + src:php-dompdf
[ Reason ]
This version fix CVE-2023-50262: SVG file reference recursion validation
issue. All other suites have this issue fixed.
[ Impact ]
They are susceptible to CVE-2023-50262
[ Tests ]
I ran autopkgtest available in this package and was successful.
[ Risks ]
Not much. The patch is backported from version 2.0.4 and fitted without
any fuzz. Plus the autopkgtest went fine.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x ] the issue is verified as fixed in unstable
--abhijith
-------------- next part --------------
diff -Nru php-dompdf-2.0.3+dfsg/debian/changelog php-dompdf-2.0.3+dfsg/debian/changelog
--- php-dompdf-2.0.3+dfsg/debian/changelog 2023-02-08 18:11:16.000000000 +0530
+++ php-dompdf-2.0.3+dfsg/debian/changelog 2026-01-02 15:26:29.000000000 +0530
@@ -1,3 +1,10 @@
+php-dompdf (2.0.3+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-50262: Improve SVG file reference recursion
+ validation
+
+ -- Abhijith PA <abhijith at debian.org> Fri, 02 Jan 2026 15:26:29 +0530
+
php-dompdf (2.0.3+dfsg-1) unstable; urgency=medium
* New upstream version 2.0.3 (CVE-2023-24813)
diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch
--- php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 1970-01-01 05:30:00.000000000 +0530
+++ php-dompdf-2.0.3+dfsg/debian/patches/CVE-2023-50262.patch 2026-01-02 15:24:34.000000000 +0530
@@ -0,0 +1,94 @@
+From 41cbac16f3cf56affa49f06e8dae66d0eac2b593 Mon Sep 17 00:00:00 2001
+From: Brian Sweeney <bsweeney at aaas.org>
+Date: Mon, 4 Dec 2023 09:19:28 -0500
+Subject: [PATCH] Improve SVG file reference recursion validation
+
+---
+ src/Image/Cache.php | 48 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 39 insertions(+), 9 deletions(-)
+
+diff --git a/src/Image/Cache.php b/src/Image/Cache.php
+index 8e36aa2b7..b3e1d0e9e 100644
+--- a/src/Image/Cache.php
++++ b/src/Image/Cache.php
+@@ -31,6 +31,14 @@ class Cache
+ */
+ protected static $tempImages = [];
+
++ /**
++ * Array of image references from an SVG document.
++ * Used to detect circular references across SVG documents.
++ *
++ * @var array
++ */
++ protected static $svgRefs = [];
++
+ /**
+ * The url to the "broken image" used when images can't be loaded
+ *
+@@ -134,20 +142,28 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options
+ $parser,
+ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
+ if (strtolower($name) === "image") {
++ if (!\array_key_exists($full_url, self::$svgRefs)) {
++ self::$svgRefs[$full_url] = [];
++ }
+ $attributes = array_change_key_case($attributes, CASE_LOWER);
+ $urls = [];
+ $urls[] = $attributes["xlink:href"] ?? "";
+ $urls[] = $attributes["href"] ?? "";
+ foreach ($urls as $url) {
+- if (!empty($url)) {
+- $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
+- if ($inner_full_url === $full_url) {
+- throw new ImageException("SVG self-reference is not allowed", E_WARNING);
+- }
+- [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
+- if (!empty($message)) {
+- throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
+- }
++ if (empty($url)) {
++ continue;
++ }
++
++ $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
++ if (empty($inner_full_url)) {
++ continue;
++ }
++
++ self::detectCircularRef($full_url, $inner_full_url);
++ self::$svgRefs[$full_url][] = $inner_full_url;
++ [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
++ if (!empty($message)) {
++ throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
+ }
+ }
+ }
+@@ -178,6 +194,19 @@ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
+ return [$resolved_url, $type, $message];
+ }
+
++ static function detectCircularRef(string $src, string $target)
++ {
++ if (!\array_key_exists($target, self::$svgRefs)) {
++ return;
++ }
++ foreach (self::$svgRefs[$target] as $ref) {
++ if ($ref === $src) {
++ throw new ImageException("Circular external SVG image reference detected.", E_WARNING);
++ }
++ self::detectCircularRef($src, $ref);
++ }
++ }
++
+ /**
+ * Register a temp file for the given original image file.
+ *
+@@ -239,6 +268,7 @@ static function clear(bool $debugPng = false)
+
+ self::$_cache = [];
+ self::$tempImages = [];
++ self::$svgRefs = [];
+ }
+
+ static function detect_type($file, $context = null)
diff -Nru php-dompdf-2.0.3+dfsg/debian/patches/series php-dompdf-2.0.3+dfsg/debian/patches/series
--- php-dompdf-2.0.3+dfsg/debian/patches/series 2023-02-04 18:18:32.000000000 +0530
+++ php-dompdf-2.0.3+dfsg/debian/patches/series 2026-01-02 15:24:34.000000000 +0530
@@ -1,3 +1,4 @@
0001-Exclude-adobe-font-check.patch
0002-Change-dir-variables-to-debian-dirs.patch
0003-Change-font-dir-for-local-build-tests.patch
+CVE-2023-50262.patch
More information about the pkg-php-pear
mailing list