[DLA 4199-1] tcpdf security update
[SECURITY] [DLA 4199-1] tcpdf security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4199-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano RincΓ³n
May 31, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : tcpdf
Version : 6.3.5+dfsg1-1+deb11u1
CVE ID : CVE-2024-22640 CVE-2024-22641 CVE-2024-32489 CVE-2024-51058
CVE-2024-56519 CVE-2024-56520 CVE-2024-56522 CVE-2024-56527
Multiple security issues were discovered in TCPDF, a PHP class for
generating PDF files on-the-fly, which may result in denial of service,
cross-site scripting or information disclosure.
CVE-2024-22640
ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML
page with a crafted color.
CVE-2024-22641
ReDoS (Regular Expression Denial of Service) when parsing a specially
crafted SVG file.
CVE-2024-32489
TCPDF mishandles calls that use HTML syntax.
CVE-2024-51058
Local File Inclusion (LFI) vulnerability through the src tag.
CVE-2024-56519
setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-56520
TCPDF, throught its use of tc-lib-pdf-font, mishandles fonts like FontBBox
for Type 1 and misparses TrueType fonts.
CVE-2024-56522
The unserializeTCPDFtag() function doesn't make use of constant-time
function to compare TCPDF tag hashes.
CVE-2024-56527
The Error() function lacks an htmlspecialchars call for the error message.
For Debian 11 bullseye, these problems have been fixed in version
6.3.5+dfsg1-1+deb11u1.
We recommend that you upgrade your tcpdf packages.
For the detailed security status of tcpdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tcpdf
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
