Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5642-1

Debian Linux Security Advisory 5642-1 - Three security issues were discovered in php-svg-lib, a PHP library to read, parse and export to PDF SVG files, which could result in denial of service, restriction bypass or the execution of arbitrary code.

Packet Storm
#xss#linux#debian#dos#js#php#pdf
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5642-1                   [email protected]://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php-dompdf-svg-libCVE ID         : CVE-2023-50251 CVE-2023-50252 CVE-2024-25117Three security issues were discovered in php-svg-lib, a PHP library toread, parse and export to PDF SVG files, which could result in denialof service, restriction bypass or the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 0.5.0-3+deb12u1.We recommend that you upgrade your php-dompdf-svg-lib packages.For the detailed security status of php-dompdf-svg-lib please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php-dompdf-svg-libFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmX7NGEACgkQEMKTtsN8TjYo5w/+Pg6R1qOP4p3GoBWg9kiHwZBLx/tkHW2FCGaKd4sDPboHvT73kzX3LEPn5R+hBOGW07jB9VKn5icPte+UH/pTyl+5CKHG/4r8U8wNru83/mHqOmjsyneVBSMy1wX8RLVYQ0vtm2AEF6a97bYydQC206YMnmoiaw90CWNib8k88Uvj3+OL+j8TcL7X1F88/QU/dzHejJ3Qrto9ImOBYryemKIIt/BgRNJ9Dl1yaEgSs8CiYEMDmJ0Wg10mpbH9MUIqmbGlrnJsfILMe0x9x9aut1QXxzFpyY9cEWgnM3khyZsdg2NAuak+VXoL2OIFZKtgqZh8/1SvTMTzr3ayDB3zAACtZGa+ZCXA0FXeEekY9IOmEoIICRX70QOil9/F4RCPv45yaWSRBuG5nJcGogEfdpVEYURWDqs483PzVaQSE/rXCg4+xfaKG3f291h2rp9+tIj4Vrlbu6YDu7hYQARaa1b/SD3aM6iqfxO6c5c0gHgKJmZOjRg6N1ClxsSI+RhDJrw9N9YTZyzyunAV04gpdZVpOdqKH/YWI1NqB/VlpCvsOF0Hd7hh2T7Ri0yUR65f1zZIs3UfdJ3MiNMgnJdi05ZnOIvNWxN9ZzgAOSlyjIl6qRtRDikcUewubpBPzDuaLYPepVr60QIPHap7XNCohdRP0no5ows2pXgMzl3YCQU==OY4q-----END PGP SIGNATURE-----

Related news

GHSA-f3qr-qr4x-j273: php-svg-lib lacks path validation on font through SVG inline styles

### Summary php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. ### Details The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the Style::fromStyleSheets might be reused : ``` if ( \array_key_exists("font-family", $styles) && ( \strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") ) ...

GHSA-ff5x-7qg5-vwf2: Denial of service caused by infinite recursion when parsing SVG document

### Summary When parsing the attributes passed to a `use` tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details Inside `Svg\Tag\UseTag::before`, php-svg-lib parses the attributes passed to an `use` tag inside an svg document. When it finds a `href` or `xlink:href`, it will try to retrieve the object representing this tag: ``` $link = $attributes["href"] ?? $attributes["xlink:href"]; $this->reference = $document->getDef($link); if ($this->reference) { $this->reference->before($attributes); } ``` `$document->getDef` is implemented as follow: ``` public function getDef($id) { $id = ltrim($id, "#"); return isset($this->defs[$id]) ? $this->defs[$id] : null; } ``` _Note:_ the `$id` in the above method is actually the _link_ being used in `use` tag. This part is important, because thi...

CVE-2023-50251: Possible DoS caused by infinite recursion when parsing SVG document

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.

CVE-2023-50252: Unsafe attributes merge when parsing `use` tag

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8. Version 0.5.1 contains a patch for this issue.

Packet Storm: Latest News

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download