[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I request permission to upload a fix of package php-tcpdf to fix security bug CVE-2015-3935 #814030
https://sourceforge.net/p/tcpdf/bugs/1005/

Fix is as simple as the following patch. Non regression tested with success on package "dolibarr" and "phpmyadmin".


Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
Author: Laurent Destailleur <eldy@users.sourceforge.net>
Forwarded: not-needed
Last-Update: 2013-07-29
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/config/tcpdf_config.php
+++ b/config/tcpdf_config.php
@@ -210,7 +210,7 @@
  * If true allows to call TCPDF methods using HTML syntax
  * IMPORTANT: For security reason, disable this feature if you are printing user HTML content.
  */
-define('K_TCPDF_CALLS_IN_HTML', true);
+define('K_TCPDF_CALLS_IN_HTML', false);
 
 /**
  * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-46-generic (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: