Version in base suite: 6.6.2+dfsg1-1

Base version: tcpdf_6.6.2+dfsg1-1
Target version: tcpdf_6.6.2+dfsg1-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tcpdf/tcpdf_6.6.2+dfsg1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tcpdf/tcpdf_6.6.2+dfsg1-1+deb12u1.dsc

 changelog                                              |   23 +
 control                                                |    2 
 gitlab-ci.yml                                          |    1 
 patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch |   25 +
 patches/0001-fix-CSV-2024-22640-712.patch              |   29 +
 patches/CVE-2024-32489.patch                           |  255 +++++++++++++++++
 patches/CVE-2024-51058.patch                           |   91 ++++++
 patches/CVE-2024-56519.patch                           |   26 +
 patches/CVE-2024-56520.patch                           |  129 ++++++++
 patches/CVE-2024-56522.patch                           |   26 +
 patches/CVE-2024-56527.patch                           |   24 +
 patches/series                                         |    8 
 rules                                                  |    1 
 13 files changed, 639 insertions(+), 1 deletion(-)

diff -Nru tcpdf-6.6.2+dfsg1/debian/changelog tcpdf-6.6.2+dfsg1/debian/changelog
--- tcpdf-6.6.2+dfsg1/debian/changelog	2022-12-23 20:14:51.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/changelog	2025-05-29 16:17:39.000000000 +0000
@@ -1,3 +1,26 @@
+tcpdf (6.6.2+dfsg1-1+deb12u1) bookworm-security; urgency=medium
+
+  * Exclude quilt managed directory .pc/ from phpab in debian/rules
+  * Explicitly specify RELEASE: bookworm in d/gitlab-ci.yml
+  * Fix CVE-2024-22640: ReDoS (Regular Expression Denial of Service) if
+    parsing an untrusted HTML page with a crafted color
+  * Fix CVE-2024-22641: ReDoS (Regular Expression Denial of Service) if
+    parsing an untrusted SVG file
+  * Fix CVE-2024-32489: tcpdf mishandles calls that use HTML syntax
+  * Fix CVE-2024-51058: Local File Inclusion (LFI) vulnerability through <img>
+    src tag
+  * Fix CVE-2024-56519: setSVGStyles does not sanitize the SVG font-family
+    attribute
+  * Fix CVE-2024-56520: tcpdf, through its use of tc-lib-pdf-font, mishandles
+    fonts like FontBBox for Type 1 and incorrectly parses TrueType fonts
+  * Fix CVE-2024-56522: unserializeTCPDFtag doesn't make use of constant-time
+    function to compare TCPDF tag hashes
+  * Fix CVE-2024-56527: the Error function lacks an htmlspecialchars call for
+    the error message
+  * Update git branch in the VCS-Git d/control field
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net>  Thu, 29 May 2025 13:17:39 -0300
+
 tcpdf (6.6.2+dfsg1-1) unstable; urgency=medium
 
   * New upstream version 6.6.2+dfsg1
diff -Nru tcpdf-6.6.2+dfsg1/debian/control tcpdf-6.6.2+dfsg1/debian/control
--- tcpdf-6.6.2+dfsg1/debian/control	2022-12-23 20:14:51.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/control	2025-05-27 21:38:49.000000000 +0000
@@ -9,7 +9,7 @@
                phpab
 Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/phpmyadmin-team/tcpdf
-Vcs-Git: https://salsa.debian.org/phpmyadmin-team/tcpdf.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/phpmyadmin-team/tcpdf.git -b debian/bookworm
 Homepage: https://www.tcpdf.org/
 Rules-Requires-Root: binary-targets
 
diff -Nru tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml
--- tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml	2022-12-23 20:14:51.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/gitlab-ci.yml	2025-05-26 18:36:40.000000000 +0000
@@ -4,3 +4,4 @@
 
 variables:
     SALSA_CI_REPROTEST_ARGS: '--print-sudoers --vary=user_group.available+=root:root --vary=user_group.available+=www-data:www-data --vary=domain_host.use_sudo=1'
+    RELEASE: bookworm
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/0001-Update-regexp-to-fix-CVE-2024-22641.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,25 @@
+From 17fe9597fb31d3d08c0f02a03338928ab8bcf0b5 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Sat, 26 Oct 2024 13:08:26 +0100
+Subject: [PATCH] Update regexp to fix CVE-2024-22641
+
+Bug-Debian: https://bugs.debian.org/1072528
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/17fe9597fb31d3d08c0f02a03338928ab8bcf0b5
+
+---
+ tcpdf.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -23284,7 +23284,7 @@ Putting 1 is equivalent to putting 0 and
+ 		$text_color = TCPDF_COLORS::convertHTMLColorToDec($svgstyle['text-color'], $this->spot_colors);
+ 		$this->setTextColorArray($text_color);
+ 		// clip
+-		if (preg_match('/rect\(([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)[\s]*([a-z0-9\-\.]*)\)/si', $svgstyle['clip'], $regs)) {
++		if (preg_match('/rect\(([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)[\s]*+([a-z0-9\-\.]*+)\)/si', $svgstyle['clip'], $regs)) {
+ 			$top = (isset($regs[1])?$this->getHTMLUnitToUnits($regs[1], 0, $this->svgunit, false):0);
+ 			$right = (isset($regs[2])?$this->getHTMLUnitToUnits($regs[2], 0, $this->svgunit, false):0);
+ 			$bottom = (isset($regs[3])?$this->getHTMLUnitToUnits($regs[3], 0, $this->svgunit, false):0);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/0001-fix-CSV-2024-22640-712.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,29 @@
+From 05f3a28f4a7905019469e040cf77e53d6aa7f679 Mon Sep 17 00:00:00 2001
+From: Josh <josh.gaby@gmail.com>
+Date: Sun, 21 Apr 2024 05:03:05 +1200
+Subject: [PATCH] fix: CSV-2024-22640 (#712)
+
+Add possessive quantifiers to the regex to prevent catastrophic backtracking.
+
+Bug: https://github.com/zunak/CVE-2024-22640
+Origin: upstream, https://github.com/tecnickcom/TCPDF/commit/05f3a28f4a7905019469e040cf77e53d6aa7f679
+---
+ include/tcpdf_colors.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/tcpdf_colors.php b/include/tcpdf_colors.php
+index 7f337f3..5a51594 100644
+--- a/include/tcpdf_colors.php
++++ b/include/tcpdf_colors.php
+@@ -275,7 +275,7 @@ class TCPDF_COLORS {
+ 		$color = strtolower($color);
+ 		// check for javascript color array syntax
+ 		if (strpos($color, '[') !== false) {
+-			if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\,]?([0-9\.]*)[\]]/', $color, $m) > 0) {
++			if (preg_match('/[\[][\"\'](t|g|rgb|cmyk)[\"\'][\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\,]?([0-9\.]*+)[\]]/', $color, $m) > 0) {
+ 				$returncolor = array();
+ 				switch ($m[1]) {
+ 					case 'cmyk': {
+-- 
+2.39.5
+
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-32489.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,255 @@
+Description: Fix for CVE-2024-32489: mishandled calls that use HTML
+ This patch is extracted from upstream commit 82fc97b "Squash multiple fixes",
+ by nicolaasuni <info@tecnick.com>, taking only changes relevant to
+ CVE-2024-32489.
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/82fc97bf1c74c8dbe62b1d3cc6d10fa4b87e0262
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-32489
+Author: Santiago Ruano Rincón <santiagorr@riseup.net>
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -836,6 +836,13 @@ class TCPDF {
+ 	 */
+ 	protected $file_id;
+ 
++	/**
++	 * Internal secret used to encrypt data.
++	 * @protected
++	 * @since 6.7.4 (2024-03-21)
++	 */
++	protected $hash_key;
++
+ 	// --- bookmark ---
+ 
+ 	/**
+@@ -1878,6 +1885,7 @@ class TCPDF {
+ 		// set file ID for trailer
+ 		$serformat = (is_array($format) ? json_encode($format) : $format);
+ 		$this->file_id = md5(TCPDF_STATIC::getRandomSeed('TCPDF'.$orientation.$unit.$serformat.$encoding));
++		$this->hash_key = hash_hmac('sha256', TCPDF_STATIC::getRandomSeed($this->file_id), TCPDF_STATIC::getRandomSeed('TCPDF'), false);
+ 		$this->font_obj_ids = array();
+ 		$this->page_obj_id = array();
+ 		$this->form_obj_id = array();
+@@ -17194,42 +17202,60 @@ class TCPDF {
+ 	}
+ 
+ 	/**
+-	 * Return an hash code used to ensure that the serialized data has been generated by this TCPDF instance.
+-	 * @param string $data serialized data
+-	 * @return string
+-	 * @public static
++	 * Calculates the hash value of the given data.
++	 *
++	 * @param string $data The data to be hashed.
++	 * @return string The hashed value of the data.
+ 	 */
+-	protected function getHashForTCPDFtagParams($data) {
+-		return md5(strlen($data).$this->file_id.$data);
++	protected function hashTCPDFtag($data) {
++		return hash_hmac('sha256', $data, $this->hash_key, false);
+ 	}
+ 
+ 	/**
+-	 * Serialize an array of parameters to be used with TCPDF tag in HTML code.
+-	 * @param array $data parameters array
+-	 * @return string containing serialized data
++	 * Serialize data to be used with TCPDF tag in HTML code.
++	 * @param string $method TCPDF method name
++	 * @param array $params Method parameters
++	 * @return string Serialized data
+ 	 * @public static
+ 	 */
+-	public function serializeTCPDFtagParameters($data) {
++	public function serializeTCPDFtag($method, $params=array()) {
++		$data = array('m' => $method, 'p' => $params);
+ 		$encoded = urlencode(json_encode($data));
+-		return $this->getHashForTCPDFtagParams($encoded).$encoded;
++		$hash = $this->hashTCPDFtag($encoded);
++		return strlen($hash).'+'.$hash.'+'.$encoded;
+ 	}
+ 
+ 	/**
+-	 * Unserialize parameters to be used with TCPDF tag in HTML code.
++	 * Unserialize data to be used with TCPDF tag in HTML code.
+ 	 * @param string $data serialized data
+ 	 * @return array containing unserialized data
+ 	 * @protected static
+ 	 */
+-	protected function unserializeTCPDFtagParameters($data) {
+-		$hash = substr($data, 0, 32);
+-		$encoded = substr($data, 32);
+-		if ($hash != $this->getHashForTCPDFtagParams($encoded)) {
++	protected function unserializeTCPDFtag($data) {
++		$hpos = strpos($data, '+');
++		$hlen = intval(substr($data, 0, $hpos));
++		$hash = substr($data, $hpos + 1, $hlen);
++		$encoded = substr($data, $hpos + 2 + $hlen);
++		if ($hash != $this->hashTCPDFtag($encoded)) {
+ 			$this->Error('Invalid parameters');
+ 		}
+ 		return json_decode(urldecode($encoded), true);
+ 	}
+ 
+ 	/**
++	 * Check if a TCPDF tag is allowed
++	 * @param string $method TCPDF method name
++	 * @return boolean
++	 * @protected
++	 */
++	protected function allowedTCPDFtag($method) {
++		if (defined('K_ALLOWED_TCPDF_TAGS')) {
++			return (strpos(K_ALLOWED_TCPDF_TAGS, '|'.$method.'|') !== false);
++		}
++		return false;
++	}
++
++	/**
+ 	 * Prints a cell (rectangular area) with optional borders, background color and html text string.
+ 	 * The upper-left corner of the cell corresponds to the current position. After the call, the current position moves to the right or to the next line.<br />
+ 	 * If automatic page breaking is enabled and the cell goes beyond the limit, a page break is done before outputting.
+@@ -19504,17 +19530,14 @@ Putting 1 is equivalent to putting 0 and
+ 			case 'tcpdf': {
+ 				if (defined('K_TCPDF_CALLS_IN_HTML') AND (K_TCPDF_CALLS_IN_HTML === true)) {
+ 					// Special tag used to call TCPDF methods
+-					if (isset($tag['attribute']['method'])) {
+-						$tcpdf_method = $tag['attribute']['method'];
+-						if (method_exists($this, $tcpdf_method)) {
+-							if (isset($tag['attribute']['params']) AND (!empty($tag['attribute']['params']))) {
+-								$params = $this->unserializeTCPDFtagParameters($tag['attribute']['params']);
+-								call_user_func_array(array($this, $tcpdf_method), $params);
+-							} else {
+-								$this->$tcpdf_method();
+-							}
+-							$this->newline = true;
++					// This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file.
++					// Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.
++					if (!empty($tag['attribute']['data'])) {
++						$tcpdf_tag_data = $this->unserializeTCPDFtag($tag['attribute']['data']);
++						if ($this->allowedTCPDFtag($tcpdf_tag_data['m'])) {
++							call_user_func_array(array($this, $tcpdf_tag_data['m']), $tcpdf_tag_data['p']);
+ 						}
++						$this->newline = true;
+ 					}
+ 				}
+ 				break;
+Index: tcpdf/config/tcpdf_config.php
+===================================================================
+--- tcpdf.orig/config/tcpdf_config.php
++++ tcpdf/config/tcpdf_config.php
+@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true);
+ define('K_TCPDF_CALLS_IN_HTML', false);
+ 
+ /**
++ * List of TCPDF methods that are allowed to be called using HTML syntax.
++ * Note: each method name must end with surrounded with | (pipe) character.
++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
++ */
++define('K_ALLOWED_TCPDF_TAGS', '');
++
++/**
+  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
+  */
+ define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
+Index: tcpdf/examples/example_049.php
+===================================================================
+--- tcpdf.orig/examples/example_049.php
++++ tcpdf/examples/example_049.php
+@@ -2,7 +2,7 @@
+ //============================================================+
+ // File name   : example_049.php
+ // Begin       : 2009-04-03
+-// Last Update : 2014-12-10
++// Last Update : 2024-03-18
+ //
+ // Description : Example 049 for TCPDF class
+ //               WriteHTML with TCPDF callback functions
+@@ -78,11 +78,11 @@ $pdf->AddPage();
+ /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
+ 
+ IMPORTANT:
+-If you are printing user-generated content, tcpdf tag can be unsafe.
+-You can disable this tag by setting to false the K_TCPDF_CALLS_IN_HTML
+-constant on TCPDF configuration file.
++If you are printing user-generated content, the tcpdf tag should be considered unsafe.
++This tag is disabled by default by the K_TCPDF_CALLS_IN_HTML constant on TCPDF configuration file.
++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.
+ 
+-For security reasons, the parameters for the 'params' attribute of TCPDF
++For security reasons, the parameters for the 'params' attribute of TCPDF 
+ tag must be prepared as an array and encoded with the
+ serializeTCPDFtagParameters() method (see the example below).
+ 
+@@ -91,23 +91,25 @@ serializeTCPDFtagParameters() method (se
+ 
+ $html = '<h1>Test TCPDF Methods in HTML</h1>
+ <h2 style="color:red;">IMPORTANT:</h2>
+-<span style="color:red;">If you are using user-generated content, the tcpdf tag can be unsafe.<br />
+-You can disable this tag by setting to false the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
++<span style="color:red;">If you are using user-generated content, the tcpdf tag should be considered unsafe.<br />
++Please use this feature only if you are in control of the HTML content and you are sure that it does not contain any harmful code.<br />
++This feature is disabled by default by the <b>K_TCPDF_CALLS_IN_HTML</b> constant on TCPDF configuration file.</span>
+ <h2>write1DBarcode method in HTML</h2>';
+ 
+-$params = $pdf->serializeTCPDFtagParameters(array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 39', 'C39', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
++$html .= '<tcpdf data="'.$data.'" />';
+ 
+-$params = $pdf->serializeTCPDFtagParameters(array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
+-$html .= '<tcpdf method="write1DBarcode" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('write1DBarcode', array('CODE 128', 'C128', '', '', 80, 30, 0.4, array('position'=>'S', 'border'=>true, 'padding'=>4, 'fgcolor'=>array(0,0,0), 'bgcolor'=>array(255,255,255), 'text'=>true, 'font'=>'helvetica', 'fontsize'=>8, 'stretchtext'=>4), 'N'));
++$html .= '<tcpdf data="'.$data.'" />';
+ 
+-$html .= '<tcpdf method="AddPage" /><h2>Graphic Functions</h2>';
++$data = $pdf->serializeTCPDFtag('AddPage');
++$html .= '<tcpdf data="'.$data.'" /><h2>Graphic Functions</h2>';
+ 
+-$params = $pdf->serializeTCPDFtagParameters(array(0));
+-$html .= '<tcpdf method="SetDrawColor" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('SetDrawColor', array(0));
++$html .= '<tcpdf data="'.$data.'" />';
+ 
+-$params = $pdf->serializeTCPDFtagParameters(array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
+-$html .= '<tcpdf method="Rect" params="'.$params.'" />';
++$data = $pdf->serializeTCPDFtag('Rect', array(50, 50, 40, 10, 'DF', array(), array(0,128,255)));
++$html .= '<tcpdf data="'.$data.'" />';
+ 
+ 
+ // output the HTML content
+Index: tcpdf/tcpdf_autoconfig.php
+===================================================================
+--- tcpdf.orig/tcpdf_autoconfig.php
++++ tcpdf/tcpdf_autoconfig.php
+@@ -228,6 +228,10 @@ if (!defined('K_TCPDF_CALLS_IN_HTML')) {
+ 	define('K_TCPDF_CALLS_IN_HTML', false);
+ }
+ 
++if (!defined('K_ALLOWED_TCPDF_TAGS')) {
++	define('K_ALLOWED_TCPDF_TAGS', '');
++}
++
+ if (!defined('K_TCPDF_THROW_EXCEPTION_ERROR')) {
+ 	define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
+ }
+Index: tcpdf/examples/config/tcpdf_config_alt.php
+===================================================================
+--- tcpdf.orig/examples/config/tcpdf_config_alt.php
++++ tcpdf/examples/config/tcpdf_config_alt.php
+@@ -213,6 +213,14 @@ define('K_THAI_TOPCHARS', true);
+ define('K_TCPDF_CALLS_IN_HTML', true);
+ 
+ /**
++ * List of TCPDF methods that are allowed to be called using HTML syntax.
++ * Note: each method name must end with surrounded with | (pipe) character.
++ * The constant K_TCPDF_CALLS_IN_HTML must be set to true.
++ * IMPORTANT: For security reason, disable this feature if you are allowing user HTML content.
++ */
++define('K_ALLOWED_TCPDF_TAGS', '|AddPage|Rect|SetDrawColor|write1DBarcode|');
++
++/**
+  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.
+  */
+ define('K_TCPDF_THROW_EXCEPTION_ERROR', false);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-51058.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,91 @@
+From bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Sun, 6 Oct 2024 11:38:38 +0100
+Subject: [PATCH] Forbid access to parent folder in HTML images
+
+Bug-Debian: https://bugs.debian.org/1088332
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b
+---
+ CHANGELOG.TXT            |  3 +++
+ VERSION                  |  2 +-
+ composer.json            |  2 +-
+ include/tcpdf_static.php |  2 +-
+ tcpdf.php                | 53 +++++++++++++++++++++-------------------
+ 5 files changed, 34 insertions(+), 28 deletions(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -18969,29 +18969,29 @@ class TCPDF {
+ 				$this->setLineWidth($hrHeight);
+ 
+ 				$lineStyle = array();
+-                    		if (isset($tag['fgcolor'])) {
+-		                        $lineStyle['color'] = $tag['fgcolor'];
+-                    		}
+-
+-                    		if (isset($tag['fgcolor'])) {
+-                        		$lineStyle['color'] = $tag['fgcolor'];
+-                    		}
+-
+-                    		if (isset($tag['style']['cap'])) {
+-                        		$lineStyle['cap'] = $tag['style']['cap'];
+-                    		}
+-
+-                    		if (isset($tag['style']['join'])) {
+-                        		$lineStyle['join'] = $tag['style']['join'];
+-                    		}
+-
+-                    		if (isset($tag['style']['dash'])) {
+-                        		$lineStyle['dash'] = $tag['style']['dash'];
+-                    		}
+-
+-                    		if (isset($tag['style']['phase'])) {
+-                        		$lineStyle['phase'] = $tag['style']['phase'];
+-                    		}
++				if (isset($tag['fgcolor'])) {
++					$lineStyle['color'] = $tag['fgcolor'];
++				}
++
++				if (isset($tag['fgcolor'])) {
++					$lineStyle['color'] = $tag['fgcolor'];
++				}
++
++				if (isset($tag['style']['cap'])) {
++					$lineStyle['cap'] = $tag['style']['cap'];
++				}
++
++				if (isset($tag['style']['join'])) {
++					$lineStyle['join'] = $tag['style']['join'];
++				}
++
++				if (isset($tag['style']['dash'])) {
++					$lineStyle['dash'] = $tag['style']['dash'];
++				}
++
++				if (isset($tag['style']['phase'])) {
++					$lineStyle['phase'] = $tag['style']['phase'];
++				}
+ 
+ 				$lineStyle = array_filter($lineStyle);
+ 
+@@ -19018,11 +19018,14 @@ class TCPDF {
+ 				} else if (preg_match('@^data:image/([^;]*);base64,(.*)@', $imgsrc, $reg)) {
+ 					$imgsrc = '@'.base64_decode($reg[2]);
+ 					$type = $reg[1];
++				} elseif (str_contains($imgsrc, '../')) {
++					// accessing parent folders is not allowed
++					break;
+ 				} elseif ( $this->allowLocalFiles && substr($imgsrc, 0, 7) === 'file://') {
+-                    // get image type from a local file path
+-                    $imgsrc = substr($imgsrc, 7);
+-                    $type = TCPDF_IMAGES::getImageFileType($imgsrc);
+-                } else {
++					// get image type from a local file path
++					$imgsrc = substr($imgsrc, 7);
++					$type = TCPDF_IMAGES::getImageFileType($imgsrc);
++				} else {
+ 					if (($imgsrc[0] === '/') AND !empty($_SERVER['DOCUMENT_ROOT']) AND ($_SERVER['DOCUMENT_ROOT'] != '/')) {
+ 						// fix image path
+ 						$findroot = strpos($imgsrc, $_SERVER['DOCUMENT_ROOT']);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56519.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,26 @@
+From c9f41cbb84880bdb4fc3e0a9d287214d1ac4d7f4 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:55:00 +0000
+Subject: [PATCH] Sanitize font-family attribute.
+
+Bug-Debian: https://bugs.debian.org/1091685
+---
+ tcpdf.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tcpdf.php b/tcpdf.php
+index 7afe65b..e364c3b 100644
+--- a/tcpdf.php
++++ b/tcpdf.php
+@@ -23486,7 +23486,7 @@ class TCPDF {
+ 			if (preg_match('/font-family[\s]*:[\s]*([^\;\"]*)/si', $svgstyle['font'], $regs)) {
+ 				$font_family = $this->getFontFamilyName($regs[1]);
+ 			} else {
+-				$font_family = $svgstyle['font-family'];
++				$font_family = $this->getFontFamilyName($svgstyle['font-family']);
+ 			}
+ 			if (preg_match('/font-size[\s]*:[\s]*([^\s\;\"]*)/si', $svgstyle['font'], $regs)) {
+ 				$font_size = trim($regs[1]);
+-- 
+2.39.5
+
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56520.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,129 @@
+From a0a02efe487cc39bd5223359e916dbeafb5cd6fe Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:43:22 +0000
+Subject: [PATCH] Add some addTTFfont fixes from tc-lib-pdf-font
+
+Bug-Debian: https://bugs.debian.org/1091686
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/a0a02efe487cc39bd5223359e916dbeafb5cd6fe
+---
+ CHANGELOG.TXT           |  1 +
+ include/tcpdf_fonts.php | 43 +++++++++++++++++++++--------------------
+ 2 files changed, 23 insertions(+), 21 deletions(-)
+
+Index: tcpdf/include/tcpdf_fonts.php
+===================================================================
+--- tcpdf.orig/include/tcpdf_fonts.php
++++ tcpdf/include/tcpdf_fonts.php
+@@ -1,13 +1,13 @@
+ <?php
+ //============================================================+
+ // File name   : tcpdf_fonts.php
+-// Version     : 1.1.0
++// Version     : 1.1.1
+ // Begin       : 2008-01-01
+-// Last Update : 2014-12-10
++// Last Update : 2024-12-23
+ // Author      : Nicola Asuni - Tecnick.com LTD - www.tecnick.com - info@tecnick.com
+ // License     : GNU-LGPL v3 (http://www.gnu.org/copyleft/lesser.html)
+ // -------------------------------------------------------------------
+-// Copyright (C) 2008-2014 Nicola Asuni - Tecnick.com LTD
++// Copyright (C) 2008-2024 Nicola Asuni - Tecnick.com LTD
+ //
+ // This file is part of TCPDF software library.
+ //
+@@ -42,7 +42,7 @@
+  * @class TCPDF_FONTS
+  * Font methods for TCPDF library.
+  * @package com.tecnick.tcpdf
+- * @version 1.1.0
++ * @version 1.1.1
+  * @author Nicola Asuni - info@tecnick.com
+  */
+ class TCPDF_FONTS {
+@@ -191,29 +191,30 @@ class TCPDF_FONTS {
+ 			fclose($fp);
+ 			// get font info
+ 			$fmetric['Flags'] = $flags;
+-			preg_match ('#/FullName[\s]*\(([^\)]*)#', $font, $matches);
++			preg_match ('#/FullName[\s]*+\(([^\)]*+)#', $font, $matches);
+ 			$fmetric['name'] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $matches[1]);
+-			preg_match('#/FontBBox[\s]*{([^}]*)#', $font, $matches);
+-			$fmetric['bbox'] = trim($matches[1]);
+-			$bv = explode(' ', $fmetric['bbox']);
+-			$fmetric['Ascent'] = intval($bv[3]);
+-			$fmetric['Descent'] = intval($bv[1]);
+-			preg_match('#/ItalicAngle[\s]*([0-9\+\-]*)#', $font, $matches);
++			preg_match('#/FontBBox[\s]*+{([^}]*+)#', $font, $matches);
++			$rawbvl = explode(' ', trim($matches[1]));
++			$bvl = [(int) $rawbvl[0], (int) $rawbvl[1], (int) $rawbvl[2], (int) $rawbvl[3]];
++			$fmetric['bbox'] = implode(' ', $bvl);
++			$fmetric['Ascent'] = $bvl[3];
++			$fmetric['Descent'] = $bvl[1];
++			preg_match('#/ItalicAngle[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ 			$fmetric['italicAngle'] = intval($matches[1]);
+ 			if ($fmetric['italicAngle'] != 0) {
+ 				$fmetric['Flags'] |= 64;
+ 			}
+-			preg_match('#/UnderlinePosition[\s]*([0-9\+\-]*)#', $font, $matches);
++			preg_match('#/UnderlinePosition[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ 			$fmetric['underlinePosition'] = intval($matches[1]);
+-			preg_match('#/UnderlineThickness[\s]*([0-9\+\-]*)#', $font, $matches);
++			preg_match('#/UnderlineThickness[\s]*+([0-9\+\-]*+)#', $font, $matches);
+ 			$fmetric['underlineThickness'] = intval($matches[1]);
+-			preg_match('#/isFixedPitch[\s]*([^\s]*)#', $font, $matches);
++			preg_match('#/isFixedPitch[\s]*+([^\s]*+)#', $font, $matches);
+ 			if ($matches[1] == 'true') {
+ 				$fmetric['Flags'] |= 1;
+ 			}
+ 			// get internal map
+ 			$imap = array();
+-			if (preg_match_all('#dup[\s]([0-9]+)[\s]*/([^\s]*)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) {
++			if (preg_match_all('#dup[\s]([0-9]+)[\s]*+/([^\s]*+)[\s]put#sU', $font, $fmap, PREG_SET_ORDER) > 0) {
+ 				foreach ($fmap as $v) {
+ 					$imap[$v[2]] = $v[1];
+ 				}
+@@ -229,22 +230,22 @@ class TCPDF_FONTS {
+ 				$eplain .= chr($chr ^ ($r >> 8));
+ 				$r = ((($chr + $r) * $c1 + $c2) % 65536);
+ 			}
+-			if (preg_match('#/ForceBold[\s]*([^\s]*)#', $eplain, $matches) > 0) {
++			if (preg_match('#/ForceBold[\s]*+([^\s]*+)#', $eplain, $matches) > 0) {
+ 				if ($matches[1] == 'true') {
+ 					$fmetric['Flags'] |= 0x40000;
+ 				}
+ 			}
+-			if (preg_match('#/StdVW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++			if (preg_match('#/StdVW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ 				$fmetric['StemV'] = intval($matches[1]);
+ 			} else {
+ 				$fmetric['StemV'] = 70;
+ 			}
+-			if (preg_match('#/StdHW[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++			if (preg_match('#/StdHW[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ 				$fmetric['StemH'] = intval($matches[1]);
+ 			} else {
+ 				$fmetric['StemH'] = 30;
+ 			}
+-			if (preg_match('#/BlueValues[\s]*\[([^\]]*)#', $eplain, $matches) > 0) {
++			if (preg_match('#/BlueValues[\s]*+\[([^\]]*+)#', $eplain, $matches) > 0) {
+ 				$bv = explode(' ', $matches[1]);
+ 				if (count($bv) >= 6) {
+ 					$v1 = intval($bv[2]);
+@@ -265,7 +266,7 @@ class TCPDF_FONTS {
+ 				$fmetric['CapHeight'] = 700;
+ 			}
+ 			// get the number of random bytes at the beginning of charstrings
+-			if (preg_match('#/lenIV[\s]*([0-9]*)#', $eplain, $matches) > 0) {
++			if (preg_match('#/lenIV[\s]*+([\d]*+)#', $eplain, $matches) > 0) {
+ 				$lenIV = intval($matches[1]);
+ 			} else {
+ 				$lenIV = 4;
+@@ -273,7 +274,7 @@ class TCPDF_FONTS {
+ 			$fmetric['Leading'] = 0;
+ 			// get charstring data
+ 			$eplain = substr($eplain, (strpos($eplain, '/CharStrings') + 1));
+-			preg_match_all('#/([A-Za-z0-9\.]*)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER);
++			preg_match_all('#/([A-Za-z0-9\.]*+)[\s][0-9]+[\s]RD[\s](.*)[\s]ND#sU', $eplain, $matches, PREG_SET_ORDER);
+ 			if (!empty($enc) AND isset(TCPDF_FONT_DATA::$encmap[$enc])) {
+ 				$enc_map = TCPDF_FONT_DATA::$encmap[$enc];
+ 			} else {
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56522.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,26 @@
+From d54b97cec33f4f1a5ad81119a82085cad93cec89 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:15:14 +0000
+Subject: [PATCH] Use strict time-constant function to compare TCPDF-tag
+ hashes.
+
+Bug-Debian: https://bugs.debian.org/1091688
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/d54b97cec33f4f1a5ad81119a82085cad93cec89
+---
+ CHANGELOG.TXT | 1 +
+ tcpdf.php     | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -17236,7 +17236,7 @@ class TCPDF {
+ 		$hlen = intval(substr($data, 0, $hpos));
+ 		$hash = substr($data, $hpos + 1, $hlen);
+ 		$encoded = substr($data, $hpos + 2 + $hlen);
+-		if ($hash != $this->hashTCPDFtag($encoded)) {
++		if (!hash_equals( $this->hashTCPDFtag($encoded), $hash)) {
+ 			$this->Error('Invalid parameters');
+ 		}
+ 		return json_decode(urldecode($encoded), true);
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch
--- tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch	1970-01-01 00:00:00.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/CVE-2024-56527.patch	2025-05-26 18:36:40.000000000 +0000
@@ -0,0 +1,24 @@
+From 11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1 Mon Sep 17 00:00:00 2001
+From: nicolaasuni <info@tecnick.com>
+Date: Mon, 23 Dec 2024 12:12:07 +0000
+Subject: [PATCH] Escape error message
+
+Bug-Debian: https://bugs.debian.org/1091689
+Origin: backport, https://github.com/tecnickcom/TCPDF/commit/11778aaa2d9e30a9ae1c1ee97ff349344f0ad6e1
+---
+ CHANGELOG.TXT | 2 +-
+ tcpdf.php     | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+Index: tcpdf/tcpdf.php
+===================================================================
+--- tcpdf.orig/tcpdf.php
++++ tcpdf/tcpdf.php
+@@ -3006,6 +3006,7 @@ class TCPDF {
+ 	public function Error($msg) {
+ 		// unset all class variables
+ 		$this->_destroy(true);
++		$msg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
+ 		if (defined('K_TCPDF_THROW_EXCEPTION_ERROR') AND !K_TCPDF_THROW_EXCEPTION_ERROR) {
+ 			die('<strong>TCPDF ERROR: </strong>'.$msg);
+ 		} else {
diff -Nru tcpdf-6.6.2+dfsg1/debian/patches/series tcpdf-6.6.2+dfsg1/debian/patches/series
--- tcpdf-6.6.2+dfsg1/debian/patches/series	2022-12-23 20:08:41.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/patches/series	2025-05-26 18:36:40.000000000 +0000
@@ -1 +1,9 @@
 0001-Update-the-composer-example-to-use-the-Debian-includ.patch
+0001-fix-CSV-2024-22640-712.patch
+0001-Update-regexp-to-fix-CVE-2024-22641.patch
+CVE-2024-32489.patch
+CVE-2024-51058.patch
+CVE-2024-56519.patch
+CVE-2024-56520.patch
+CVE-2024-56522.patch
+CVE-2024-56527.patch
diff -Nru tcpdf-6.6.2+dfsg1/debian/rules tcpdf-6.6.2+dfsg1/debian/rules
--- tcpdf-6.6.2+dfsg1/debian/rules	2022-12-16 21:19:19.000000000 +0000
+++ tcpdf-6.6.2+dfsg1/debian/rules	2025-05-27 21:38:39.000000000 +0000
@@ -18,4 +18,5 @@
 		--blacklist mc_tcpdf \
 		--blacklist mypdf \
 		--blacklist toc_tcpdf \
+		--exclude */.pc/* \
 		--output autoload.php .