A security update for TCPDF has been released for Debian GNU/Linux 11 (Bullseye) LTS, as outlined in the Debian LTS Advisory DLA-4199-1. The update addresses multiple vulnerabilities in TCPDF, a PHP class used for generating PDF files dynamically. The specific vulnerabilities identified include:
1. CVE-2024-22640: Regular Expression Denial of Service (ReDoS) vulnerability when parsing untrusted HTML with crafted colors.
2. CVE-2024-22641: ReDoS vulnerability when processing specially crafted SVG files.
3. CVE-2024-32489: Improper handling of HTML syntax calls.
4. CVE-2024-51058: Local File Inclusion (LFI) vulnerability via the 'src' tag.
5. CVE-2024-56519: Lack of sanitization for the SVG font-family attribute in the setSVGStyles function.
6. CVE-2024-56520: Inadequate handling of font-related issues, including misparsing TrueType fonts.
7. CVE-2024-56522: Failure to use constant-time functions for comparing TCPDF tag hashes in the unserializeTCPDFtag() function.
8. CVE-2024-56527: The Error() function does not apply htmlspecialchars to error messages, potentially leading to security issues.
These vulnerabilities could lead to various security risks, including denial of service, cross-site scripting, or information disclosure. The update resolves these issues in version 6.3.5+dfsg1-1+deb11u1.
Users of Debian 11 Bullseye are encouraged to upgrade their TCPDF packages to maintain system security. For detailed information on the security status of TCPDF, users can refer to its security tracker page. Additional guidance on applying these updates and frequently asked questions about Debian LTS security advisories are available on the Debian wiki.
In conclusion, it is critical for users to remain vigilant and ensure that their systems are up to date with the latest security patches to mitigate potential vulnerabilities and protect sensitive data. Regular updates and monitoring of security advisories are essential practices for maintaining a secure computing environment
1. CVE-2024-22640: Regular Expression Denial of Service (ReDoS) vulnerability when parsing untrusted HTML with crafted colors.
2. CVE-2024-22641: ReDoS vulnerability when processing specially crafted SVG files.
3. CVE-2024-32489: Improper handling of HTML syntax calls.
4. CVE-2024-51058: Local File Inclusion (LFI) vulnerability via the 'src' tag.
5. CVE-2024-56519: Lack of sanitization for the SVG font-family attribute in the setSVGStyles function.
6. CVE-2024-56520: Inadequate handling of font-related issues, including misparsing TrueType fonts.
7. CVE-2024-56522: Failure to use constant-time functions for comparing TCPDF tag hashes in the unserializeTCPDFtag() function.
8. CVE-2024-56527: The Error() function does not apply htmlspecialchars to error messages, potentially leading to security issues.
These vulnerabilities could lead to various security risks, including denial of service, cross-site scripting, or information disclosure. The update resolves these issues in version 6.3.5+dfsg1-1+deb11u1.
Users of Debian 11 Bullseye are encouraged to upgrade their TCPDF packages to maintain system security. For detailed information on the security status of TCPDF, users can refer to its security tracker page. Additional guidance on applying these updates and frequently asked questions about Debian LTS security advisories are available on the Debian wiki.
In conclusion, it is critical for users to remain vigilant and ensure that their systems are up to date with the latest security patches to mitigate potential vulnerabilities and protect sensitive data. Regular updates and monitoring of security advisories are essential practices for maintaining a secure computing environment
TCPDF security update for Debian 11 LTS
A TCPDF security update has been released for Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4199-1] tcpdf security update
