Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted tcpdf 6.6.2+dfsg1-1+deb12u1 (source) into stable-security
Date: Sun, 01 Jun 2025 12:27:23 +0000
Signed by: Santiago Ruano Rincón <santiago@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 29 May 2025 13:17:39 -0300
Source: tcpdf
Architecture: source
Version: 6.6.2+dfsg1-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: phpMyAdmin Team <team+phpmyadmin@tracker.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Changes:
 tcpdf (6.6.2+dfsg1-1+deb12u1) bookworm-security; urgency=medium
 .
   * Exclude quilt managed directory .pc/ from phpab in debian/rules
   * Explicitly specify RELEASE: bookworm in d/gitlab-ci.yml
   * Fix CVE-2024-22640: ReDoS (Regular Expression Denial of Service) if
     parsing an untrusted HTML page with a crafted color
   * Fix CVE-2024-22641: ReDoS (Regular Expression Denial of Service) if
     parsing an untrusted SVG file
   * Fix CVE-2024-32489: tcpdf mishandles calls that use HTML syntax
   * Fix CVE-2024-51058: Local File Inclusion (LFI) vulnerability through <img>
     src tag
   * Fix CVE-2024-56519: setSVGStyles does not sanitize the SVG font-family
     attribute
   * Fix CVE-2024-56520: tcpdf, through its use of tc-lib-pdf-font, mishandles
     fonts like FontBBox for Type 1 and incorrectly parses TrueType fonts
   * Fix CVE-2024-56522: unserializeTCPDFtag doesn't make use of constant-time
     function to compare TCPDF tag hashes
   * Fix CVE-2024-56527: the Error function lacks an htmlspecialchars call for
     the error message
   * Update git branch in the VCS-Git d/control field
Checksums-Sha1:
 7db5274a9f373f41c2cc69e25cd280a36e45240e 1552 tcpdf_6.6.2+dfsg1-1+deb12u1.dsc
 346437fe31df2d5534c553f457f30113dce53280 8001440 tcpdf_6.6.2+dfsg1.orig.tar.xz
 c1353b84081ae9f13387cfcc9944eec472c5b772 16108 tcpdf_6.6.2+dfsg1-1+deb12u1.debian.tar.xz
 7b592b4e6519dea3b81706640a97990afc13fc9d 6552 tcpdf_6.6.2+dfsg1-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 7aeb4e523175325f9c45ac0b371df1a8fcd72695412375c310b0daf5acdcadae 1552 tcpdf_6.6.2+dfsg1-1+deb12u1.dsc
 d66d1e799a97ca0a012faef45bd64d5d5c4878b46d98105a8be38efaa0f78d4f 8001440 tcpdf_6.6.2+dfsg1.orig.tar.xz
 02fedd8f54ffcd2c4e65cd469cfddc6c354042c46c4d87aef56787e9498248e4 16108 tcpdf_6.6.2+dfsg1-1+deb12u1.debian.tar.xz
 46807be8684b80717ee2d765584ad7f3e1da82bd2ad85d1334f2e322a7cbe43e 6552 tcpdf_6.6.2+dfsg1-1+deb12u1_amd64.buildinfo
Files:
 f9169646024fef66af5b80766550ceb2 1552 php optional tcpdf_6.6.2+dfsg1-1+deb12u1.dsc
 1268c20a20017f0e21849000459a8928 8001440 php optional tcpdf_6.6.2+dfsg1.orig.tar.xz
 60e33cd4a6f079a26bb8849007a2a2db 16108 php optional tcpdf_6.6.2+dfsg1-1+deb12u1.debian.tar.xz
 0412fc7967f9a7970f31c9e0f1a00116 6552 php optional tcpdf_6.6.2+dfsg1-1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIwEARYKADQWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaDiVIRYcc2FudGlhZ29y
ckByaXNldXAubmV0AAoJECfePUUQSIbv81gBAJEeUuTNqfSbKQgfRv19jPAtuluH
AuMu1vXYiv7sKTg/AP4gFmSK+MsC6c+z4Wz4oEgFp+H9B/WcMTSdWZv7l9eqAg==
=KWEY
-----END PGP SIGNATURE-----
News for package tcpdf
