Headline
Debian Security Advisory 5642-1
Debian Linux Security Advisory 5642-1 - Three security issues were discovered in php-svg-lib, a PHP library to read, parse and export to PDF SVG files, which could result in denial of service, restriction bypass or the execution of arbitrary code.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5642-1 [email protected]://www.debian.org/security/ Moritz MuehlenhoffMarch 20, 2024 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : php-dompdf-svg-libCVE ID : CVE-2023-50251 CVE-2023-50252 CVE-2024-25117Three security issues were discovered in php-svg-lib, a PHP library toread, parse and export to PDF SVG files, which could result in denialof service, restriction bypass or the execution of arbitrary code.For the stable distribution (bookworm), these problems have been fixed inversion 0.5.0-3+deb12u1.We recommend that you upgrade your php-dompdf-svg-lib packages.For the detailed security status of php-dompdf-svg-lib please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php-dompdf-svg-libFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmX7NGEACgkQEMKTtsN8TjYo5w/+Pg6R1qOP4p3GoBWg9kiHwZBLx/tkHW2FCGaKd4sDPboHvT73kzX3LEPn5R+hBOGW07jB9VKn5icPte+UH/pTyl+5CKHG/4r8U8wNru83/mHqOmjsyneVBSMy1wX8RLVYQ0vtm2AEF6a97bYydQC206YMnmoiaw90CWNib8k88Uvj3+OL+j8TcL7X1F88/QU/dzHejJ3Qrto9ImOBYryemKIIt/BgRNJ9Dl1yaEgSs8CiYEMDmJ0Wg10mpbH9MUIqmbGlrnJsfILMe0x9x9aut1QXxzFpyY9cEWgnM3khyZsdg2NAuak+VXoL2OIFZKtgqZh8/1SvTMTzr3ayDB3zAACtZGa+ZCXA0FXeEekY9IOmEoIICRX70QOil9/F4RCPv45yaWSRBuG5nJcGogEfdpVEYURWDqs483PzVaQSE/rXCg4+xfaKG3f291h2rp9+tIj4Vrlbu6YDu7hYQARaa1b/SD3aM6iqfxO6c5c0gHgKJmZOjRg6N1ClxsSI+RhDJrw9N9YTZyzyunAV04gpdZVpOdqKH/YWI1NqB/VlpCvsOF0Hd7hh2T7Ri0yUR65f1zZIs3UfdJ3MiNMgnJdi05ZnOIvNWxN9ZzgAOSlyjIl6qRtRDikcUewubpBPzDuaLYPepVr60QIPHap7XNCohdRP0no5ows2pXgMzl3YCQU==OY4q-----END PGP SIGNATURE-----
Related news
### Summary php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. ### Details The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the Style::fromStyleSheets might be reused : ``` if ( \array_key_exists("font-family", $styles) && ( \strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") ) ...
### Summary When parsing the attributes passed to a `use` tag inside an svg document, we can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details Inside `Svg\Tag\UseTag::before`, php-svg-lib parses the attributes passed to an `use` tag inside an svg document. When it finds a `href` or `xlink:href`, it will try to retrieve the object representing this tag: ``` $link = $attributes["href"] ?? $attributes["xlink:href"]; $this->reference = $document->getDef($link); if ($this->reference) { $this->reference->before($attributes); } ``` `$document->getDef` is implemented as follow: ``` public function getDef($id) { $id = ltrim($id, "#"); return isset($this->defs[$id]) ? $this->defs[$id] : null; } ``` _Note:_ the `$id` in the above method is actually the _link_ being used in `use` tag. This part is important, because thi...
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue.
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8. Version 0.5.1 contains a patch for this issue.