Version in base suite: 0.5.0-3 Base version: php-dompdf-svg-lib_0.5.0-3 Target version: php-dompdf-svg-lib_0.5.0-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/php-dompdf-svg-lib/php-dompdf-svg-lib_0.5.0-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/php-dompdf-svg-lib/php-dompdf-svg-lib_0.5.0-3+deb12u1.dsc changelog | 10 ++ patches/Fix-CVE-2023-50251-CVE-2023-50252.patch | 64 +++++++++++++ patches/Fix-CVE-2023-50251.patch | 69 ++++++++++++++ patches/Fix-CVE-2024-25117.patch | 118 ++++++++++++++++++++++++ patches/series | 3 5 files changed, 264 insertions(+) diff -Nru php-dompdf-svg-lib-0.5.0/debian/changelog php-dompdf-svg-lib-0.5.0/debian/changelog --- php-dompdf-svg-lib-0.5.0/debian/changelog 2023-02-05 10:47:36.000000000 +0000 +++ php-dompdf-svg-lib-0.5.0/debian/changelog 2024-03-06 23:10:13.000000000 +0000 @@ -1,3 +1,13 @@ +php-dompdf-svg-lib (0.5.0-3+deb12u1) bookworm-security; urgency=medium + + * Add patches for phar:// url validations + - CVE-2023-50251 and CVE-2023-50252 (#1058641) + - CVE-2024-25117 (#1064781) + * Add a patch for infinite recursion vulnerability + - CVE-2023-50251 (#1058641) + + -- William Desportes Thu, 07 Mar 2024 00:10:13 +0100 + php-dompdf-svg-lib (0.5.0-3) unstable; urgency=medium * Adjust license to LGPL-3.0+ (Closes: #1030539) diff -Nru php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251-CVE-2023-50252.patch php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251-CVE-2023-50252.patch --- php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251-CVE-2023-50252.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251-CVE-2023-50252.patch 2024-03-06 23:10:13.000000000 +0000 @@ -0,0 +1,64 @@ +From: Brian Sweeney +Date: Fri, 1 Dec 2023 13:09:24 -0500 +Subject: Add basic protection against PHAR deserialization + +This also includes an option to disable external file references. This applies to images and fonts. External file references are allowed by default, but future version will disallow by default. + +Origin: upstream +Fixes: CVE-2023-50251, CVE-2023-50252 +Bug-Debian: https://bugs.debian.org/1058641 +--- + src/Svg/Document.php | 2 ++ + src/Svg/Style.php | 10 ++++++++++ + src/Svg/Tag/Image.php | 4 ++++ + 3 files changed, 16 insertions(+) + +diff --git a/src/Svg/Document.php b/src/Svg/Document.php +index 4de226e..309875b 100644 +--- a/src/Svg/Document.php ++++ b/src/Svg/Document.php +@@ -53,6 +53,8 @@ class Document extends AbstractTag + /** @var \Sabberworm\CSS\CSSList\Document[] */ + protected $styleSheets = array(); + ++ public $allowExternalReferences = true; ++ + public function loadFile($filename) + { + $this->filename = $filename; +diff --git a/src/Svg/Style.php b/src/Svg/Style.php +index 14b11e9..514f546 100644 +--- a/src/Svg/Style.php ++++ b/src/Svg/Style.php +@@ -139,6 +139,16 @@ class Style + break; + } + } ++ ++ if ( ++ \array_key_exists("font-family", $styles) ++ && ( ++ \strtolower(\substr($this->href, 0, 7)) === "phar://" ++ || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") ++ ) ++ ) { ++ unset($style["font-family"]); ++ } + } + } + +diff --git a/src/Svg/Tag/Image.php b/src/Svg/Tag/Image.php +index bda17ea..8cbfccd 100644 +--- a/src/Svg/Tag/Image.php ++++ b/src/Svg/Tag/Image.php +@@ -58,6 +58,10 @@ class Image extends AbstractTag + + $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height); + ++ if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) { ++ return; ++ } ++ + $this->document->getSurface()->drawImage($this->href, $this->x, $this->y, $this->width, $this->height); + } + diff -Nru php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251.patch php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251.patch --- php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2023-50251.patch 2024-03-06 23:10:13.000000000 +0000 @@ -0,0 +1,69 @@ +From: Brian Sweeney +Date: Mon, 20 Nov 2023 16:06:30 -0500 +Subject: Prevent circular reference in use elements + +Origin: upstream +Fixes: CVE-2023-50251 +Bug-Debian: https://bugs.debian.org/1058641 +--- + src/Svg/Tag/UseTag.php | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/Svg/Tag/UseTag.php b/src/Svg/Tag/UseTag.php +index c5f00ea..4fae752 100644 +--- a/src/Svg/Tag/UseTag.php ++++ b/src/Svg/Tag/UseTag.php +@@ -14,12 +14,19 @@ class UseTag extends AbstractTag + protected $y = 0; + protected $width; + protected $height; ++ protected $instances = 0; + + /** @var AbstractTag */ + protected $reference; + + protected function before($attributes) + { ++ $this->instances++; ++ if ($this->instances > 1) { ++ //TODO: log circular reference error state ++ return; ++ } ++ + if (isset($attributes['x'])) { + $this->x = $attributes['x']; + } +@@ -52,6 +59,9 @@ class UseTag extends AbstractTag + } + + protected function after() { ++ if ($this->instances > 0) { ++ return; ++ } + parent::after(); + + if ($this->reference) { +@@ -63,6 +73,11 @@ class UseTag extends AbstractTag + + public function handle($attributes) + { ++ if ($this->instances > 1) { ++ //TODO: log circular reference error state ++ return; ++ } ++ + parent::handle($attributes); + + if (!$this->reference) { +@@ -87,6 +102,11 @@ class UseTag extends AbstractTag + + public function handleEnd() + { ++ $this->instances--; ++ if ($this->instances > 0) { ++ return; ++ } ++ + parent::handleEnd(); + + if (!$this->reference) { diff -Nru php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2024-25117.patch php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2024-25117.patch --- php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2024-25117.patch 1970-01-01 00:00:00.000000000 +0000 +++ php-dompdf-svg-lib-0.5.0/debian/patches/Fix-CVE-2024-25117.patch 2024-03-06 23:10:13.000000000 +0000 @@ -0,0 +1,118 @@ +From: Brian Sweeney +Date: Wed, 31 Jan 2024 09:55:55 -0500 +Subject: Update resource validation logic + +The previous logic did not validate the font-family when set by attribute. To accommodate style validation across all sources the Style class now accepts the Document during construction so that it has access to the allowExternalReferences property regardless of style source. + +Origin: upstream +Fixes: CVE-2024-25117 +Bug-Debian: https://bugs.debian.org/1064781 +--- + src/Svg/Document.php | 2 +- + src/Svg/Style.php | 27 +++++++++++++++++---------- + src/Svg/Tag/AbstractTag.php | 2 +- + src/Svg/Tag/Image.php | 6 +++++- + 4 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/src/Svg/Document.php b/src/Svg/Document.php +index 309875b..990cfde 100644 +--- a/src/Svg/Document.php ++++ b/src/Svg/Document.php +@@ -202,7 +202,7 @@ class Document extends AbstractTag + { + $surface = $this->getSurface(); + +- $style = new DefaultStyle(); ++ $style = new DefaultStyle($this); + $style->inherit($this); + $style->fromAttributes($attributes); + +diff --git a/src/Svg/Style.php b/src/Svg/Style.php +index 514f546..9fac469 100644 +--- a/src/Svg/Style.php ++++ b/src/Svg/Style.php +@@ -18,6 +18,7 @@ class Style + const TYPE_ANGLE = 4; + const TYPE_NUMBER = 5; + ++ private $_document; + private $_parentStyle; + + public $color; +@@ -43,6 +44,12 @@ class Style + public $fontStyle = 'normal'; + public $textAnchor = 'start'; + ++ public function __construct($document = null) { ++ if ($document !== null) { ++ $this->_document = $document; ++ } ++ } ++ + protected function getStyleMap() + { + return array( +@@ -139,16 +146,6 @@ class Style + break; + } + } +- +- if ( +- \array_key_exists("font-family", $styles) +- && ( +- \strtolower(\substr($this->href, 0, 7)) === "phar://" +- || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") +- ) +- ) { +- unset($style["font-family"]); +- } + } + } + +@@ -185,6 +182,16 @@ class Style + $value = $styles[$from]; + } + ++ if ($from === "font-family") { ++ $scheme = \strtolower(parse_url($value, PHP_URL_SCHEME) ?: ""); ++ if ( ++ $scheme === "phar" || \strtolower(\substr($value, 0, 7)) === "phar://" ++ || ($this->_document !== null && $this->_document->allowExternalReferences === false && $scheme !== "data") ++ ) { ++ continue; ++ } ++ } ++ + if ($value !== null) { + $this->$to = $value; + } +diff --git a/src/Svg/Tag/AbstractTag.php b/src/Svg/Tag/AbstractTag.php +index 9fa6793..e368aab 100644 +--- a/src/Svg/Tag/AbstractTag.php ++++ b/src/Svg/Tag/AbstractTag.php +@@ -119,7 +119,7 @@ abstract class AbstractTag + * @return Style + */ + protected function makeStyle($attributes) { +- $style = new Style(); ++ $style = new Style($this->document); + $style->inherit($this); + $style->fromStyleSheets($this, $attributes); + $style->fromAttributes($attributes); +diff --git a/src/Svg/Tag/Image.php b/src/Svg/Tag/Image.php +index 8cbfccd..de397c4 100644 +--- a/src/Svg/Tag/Image.php ++++ b/src/Svg/Tag/Image.php +@@ -58,7 +58,11 @@ class Image extends AbstractTag + + $this->document->getSurface()->transform(1, 0, 0, -1, 0, $height); + +- if (\strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5) !== "data:"))) { ++ $scheme = \strtolower(parse_url($this->href, PHP_URL_SCHEME) ?: ""); ++ if ( ++ $scheme === "phar" || \strtolower(\substr($this->href, 0, 7)) === "phar://" ++ || ($this->document->allowExternalReferences === false && $scheme !== "data") ++ ) { + return; + } + diff -Nru php-dompdf-svg-lib-0.5.0/debian/patches/series php-dompdf-svg-lib-0.5.0/debian/patches/series --- php-dompdf-svg-lib-0.5.0/debian/patches/series 2023-02-02 10:48:26.000000000 +0000 +++ php-dompdf-svg-lib-0.5.0/debian/patches/series 2024-03-06 23:10:13.000000000 +0000 @@ -1 +1,4 @@ Replace-sabberworm-php-css-parser-by-php-horde-css-parser.patch +Fix-CVE-2023-50251-CVE-2023-50252.patch +Fix-CVE-2024-25117.patch +Fix-CVE-2023-50251.patch