New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in phenx/php-svg-lib #3393
Comments
I'm trying to coordinate the releases. SvgLib will be moving to 1.0, which will be the new minimum for Dompdf 3.0. In the meantime you can update via composer without breaking anything. The changes have been primarily around resource validation. Dompdf 2.0.4 also includes some additional relevant validations. |
Is there a usage of |
same here |
Dompdf with that most recent release of SvgLib is secure. The separate SA in not because Dompdf itself is vulnerable, but because it's vulnerable in the context of using SvgLib. There's a greater rating in the Dompdf SA since the attack surface is generally greater when SvgLib is used with Dompdf. So, the Dompdf SA is primarily to raise awareness of the issue with Dompdf users. I don't know if there's a way to indicate in the SA that Dompdf is only vulnerable based on the SvgLib dependency (e.g., Dompdf in combination with SvgLib <=0.5.1 is affected), which is why it shows * in the affected/patched fields. It's also why I didn't request a CVE since the issue is not specifically with Dompdf. |
I removed Dompdf from the list of affected packages, which I expect would allow a pass with |
Confirmed running What do you think about updating the |
Some side notes on Phar meta-data deserialization (I spent a bunch of time on that topic in 2018):
|
Version 3.0.0 is pretty much ready to go and will require dompdf/php-svg-lib 1.0. I'm just finalizing changes across our libraries. Though if everyone would prefer a minor release that requires SvgLib 0.5.2 I'm happy to oblige. |
Thanks & understood. With version 3.0.0, is it a simple upgrade? It might be worth having that temp release in between for the SvgLib 0.5.2 security fix for people not quite ready to upgrade if there's breaking changes? & as a quick fix for any one else facing this in between? I've fixed it for my repos though with the |
There is the advisory marking dompdf as vulnerable (even though it has wider constraint) and roave/security-advisories doesn't allow to use dompdf based on the advisory. It seems like there are two ways to overcome this:
|
I'll need to contact Github regardless since, apparently, there is no patched version listed. |
Sure, but automated advisory checkers could break building pipelines |
I'm not saying I won't release 2.0.5 just that I may need to contact Github to make sure it flows through to that advisory. Particularly if, as noted, roave is blocking installs because of it. |
I would really prefer the additional minor release as it currently breaks pipelines for security reasons. Upgrading to a new major version with new features i would like to be able to schedule that instead almost being enforced due a vulnerable dependency. 🙏 |
I don't see why dompdf allows tags for the affected package between 0.3.3 and 1.0.0 -- our composer.lock file is now up-to-date with 0.5.2 of phenx/php-svg-lib, yet composer audit still fails. In my experience it seems atypical to create a new tag simply to enforce a new minimum of a package's dependencies upon discovering a vulnerability in one of its requirements when it's perfectly valid for consumers of dompdf/dompdf to upgrade the peer dependencies themselves... |
You are not wrong. GHSA-97m3-52wr-xvv2 listed Dompdf as an informational. It was intended to alert the community that there's an expanded attack surface when Dompdf is used with any version of SvgLib prior to 0.5.2 (and PHP < 8, but there's no way to indicate something like that). But the system is opaque to me, and I didn't realize listing Dompdf without specific version information would create the situation we're currently in. That's on me, lesson learned. I'm still working through if a minor release will be required. I submitted an update to the global advisory, and we'll see what happens from there. I do have a minor release ready to go if the attempted resolution does not clear the current pipeline issues. |
It was merged on advisory-database. The alert should now have gone away for those that upgraded php-svg-lib to 0.5.2 |
Thanks for watching and reporting back. I was waiting to see what would happen with that. |
@bsweeney do you have an estimated date for the next minor release? Just trying to align it with our planning. Thanks for all the hard work! |
I was thinking of ... not? Since dependency managers should retrieve the patched release of SvgLib without issue. But if y'all want to see a minor release that bumps the minimum requirement of SvgLib I'm happy to do so. |
I agree that a new tag is not necessary for dompdf/dompdf. This can be remedied via |
FYI if you want to enforce a minimum SvgLib version with your Dompdf installation without specifying it in your composer you can upgrade to 2.0.7. |
Dompdf is dependent on phenx/php-svg-lib v0.3 to 1.0. There is a security vulnerability in this repo in versions below 0.5.1.
Could you modify the dependency to use a newer version of this library? Meanwhile, would it be safe to run
composer update phenx/php-svg-lib
or will things break?The text was updated successfully, but these errors were encountered: