tcpdf - Debian Package Tracker

general

source: tcpdf (main)
version: 6.9.1+dfsg-1
maintainer: phpMyAdmin Team (DMD)
uploaders: William Desportes [DMD] [DM]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 6.3.5+dfsg1-1
old-bpo: 6.6.2+dfsg1-1~bpo11+1
stable: 6.6.2+dfsg1-1
stable-bpo: 6.9.1+dfsg-1~bpo12+1
testing: 6.9.1+dfsg-1
unstable: 6.9.1+dfsg-1

versioned links

6.3.5+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.6.2+dfsg1-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.6.2+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.9.1+dfsg-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.9.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

php-tcpdf

action needed

A new upstream version is available: 6.9.4 high

A new upstream version 6.9.4 is available, you should consider packaging it.

Created: 2025-04-22 Last update: 2025-05-25 18:03

9 security issues in bullseye high

There are 9 open security issues in bullseye.

6 important issues:

CVE-2024-51058: Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information.
CVE-2024-56519: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-56520: An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.
CVE-2024-56521: An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
CVE-2024-56522: An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.
CVE-2024-56527: An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

3 issues postponed or untriaged:

CVE-2024-22640: (needs triaging) TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
CVE-2024-22641: (needs triaging) TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.
CVE-2024-32489: (needs triaging) TCPDF before 6.7.4 mishandles calls that use HTML syntax.

Created: 2024-11-26 Last update: 2025-04-08 10:25

9 security issues in bookworm high

There are 9 open security issues in bookworm.

6 important issues:

CVE-2024-51058: Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information.
CVE-2024-56519: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-56520: An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.
CVE-2024-56521: An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.
CVE-2024-56522: An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.
CVE-2024-56527: An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

3 issues left for the package maintainer to handle:

CVE-2024-22640: (needs triaging) TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
CVE-2024-22641: (needs triaging) TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.
CVE-2024-32489: (needs triaging) TCPDF before 6.7.4 mishandles calls that use HTML syntax.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-04-15 Last update: 2025-04-08 10:25

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 6.9.2+dfsg-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 9ac03d5f1ae145f023c678fe34e82f37397b0ac2
Author: William Desportes <williamdes@wdes.fr>
Date:   Sun Apr 20 10:55:21 2025 +0200

    d/ch

commit 683e66ec469a5680cf71dda392e67b8ae5bdebfc
Merge: 9a2a3a7 ffc1cfd
Author: William Desportes <williamdes@wdes.fr>
Date:   Sun Apr 20 10:53:53 2025 +0200

    Update upstream source from tag 'upstream/6.9.2+dfsg'
    
    Update to upstream version '6.9.2+dfsg'
    with Debian dir 2990269640ee17e32bde44b306338c504eb316ec

commit ffc1cfd9d32e01131e2132ffa04cb18f02791e5c
Author: William Desportes <williamdes@wdes.fr>
Date:   Sun Apr 20 10:53:45 2025 +0200

    New upstream version 6.9.2+dfsg

Created: 2025-04-20 Last update: 2025-05-24 00:32

news

[rss feed]

[2025-04-11] Accepted tcpdf 6.9.1+dfsg-1~bpo12+1 (source) into stable-backports (William Desportes)
[2025-04-09] tcpdf 6.9.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-04-06] Accepted tcpdf 6.9.1+dfsg-1 (source) into unstable (William Desportes)
[2025-02-13] Accepted tcpdf 6.8.2+dfsg-1~bpo12+1 (source) into stable-backports (William Desportes)
[2025-02-12] tcpdf 6.8.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-02-09] Accepted tcpdf 6.8.2+dfsg-1 (source) into unstable (William Desportes)
[2025-01-30] Accepted tcpdf 6.8.0+dfsg-1~bpo12+1 (source all) into stable-backports (Debian FTP Masters) (signed by: Sruthi Chandran)
[2025-01-02] tcpdf 6.8.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-31] Accepted tcpdf 6.8.0+dfsg-1 (source) into unstable (William Desportes)
[2024-12-14] tcpdf 6.7.7+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-12] Accepted tcpdf 6.7.7+dfsg-1 (source) into unstable (William Desportes)
[2024-04-24] tcpdf 6.7.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-04-20] Accepted tcpdf 6.7.5+dfsg-1 (source) into unstable (William Desportes)
[2024-04-08] tcpdf 6.7.4+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-04-06] Accepted tcpdf 6.7.4+dfsg-1 (source) into unstable (William Desportes)
[2023-09-09] tcpdf 6.6.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-09-06] Accepted tcpdf 6.6.5+dfsg-1 (source) into unstable (William Desportes)
[2023-09-06] Accepted tcpdf 6.6.3+dfsg1-1 (source) into unstable (William Desportes)
[2023-01-24] Accepted tcpdf 6.6.2+dfsg1-1~bpo11+1 (source all) into bullseye-backports (Debian FTP Masters) (signed by: James Valleroy)
[2022-12-26] tcpdf 6.6.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-12-23] Accepted tcpdf 6.6.2+dfsg1-1 (source) into unstable (William Desportes)
[2022-12-08] tcpdf 6.6.0+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-12-06] Accepted tcpdf 6.6.0+dfsg1-1 (source) into unstable (William Desportes)
[2022-09-04] Accepted tcpdf 6.5.0+dfsg1-1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports (Debian FTP Masters) (signed by: William Desportes)
[2022-08-14] tcpdf 6.5.0+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-08-12] Accepted tcpdf 6.5.0+dfsg1-1 (source) into unstable (William Desportes)
[2022-01-08] tcpdf 6.4.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2022-01-05] Accepted tcpdf 6.4.4+dfsg1-1 (source) into unstable (William Desportes)
[2021-08-23] tcpdf 6.4.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2021-08-19] Accepted tcpdf 6.4.2+dfsg1-1 (source) into unstable (William Desportes)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.9.1+dfsg-1