Debian dsa-5642 : php-dompdf-svg-lib - security update

2024-03-2000:00:00

www.tenable.com

debian 12

package

vulnerabilities

php-svg-lib

svg file parsing

rendering library

infinite recursion

memory exhaustion

server

resource exhaustion

phar deserialization vulnerability

scalable vector graphics

rce

font-family

validation

fontname

bypass

restrictions

remote code execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.4%

JSON

The remote Debian 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5642 advisory.

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a use tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. An attacker sending multiple request to a system to render the above payload can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 0.5.1 contains a patch for this issue. (CVE-2023-50251)
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling <use> tag that references an <image> tag, it merges the attributes from the <use> tag to the <image> tag. The problem pops up especially when the href attribute from the <use> tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8.
Version 0.5.1 contains a patch for this issue. (CVE-2023-50252)
php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn’t contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn’t validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName value to other libraries. The same check as done in the Style::fromStyleSheets might be reused.
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the fontName that is passed by php-svg- lib. Version 0.5.2 contains a fix for this issue. (CVE-2024-25117)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5642. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(192309);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/20");

  script_cve_id("CVE-2023-50251", "CVE-2023-50252", "CVE-2024-25117");

  script_name(english:"Debian dsa-5642 : php-dompdf-svg-lib - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dsa-5642 advisory.

  - php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the
    attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an
    infinite recursion. Depending on the system configuration and attack pattern this could exhaust the memory
    available to the executing process and/or to the server itself. An attacker sending multiple request to a
    system to render the above payload can potentially cause resource exhaustion to the point that the system
    is unable to handle incoming request. Version 0.5.1 contains a patch for this issue. (CVE-2023-50251)

  - php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag
    that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image>` tag. The
    problem pops up especially when the `href` attribute from the `<use>` tag has not been sanitized. This can
    lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8.
    Version 0.5.1 contains a patch for this issue. (CVE-2023-50252)

  - php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2,
    php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP
    < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions
    or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by
    php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of
    the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName`
    value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused.
    Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even
    remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-
    lib. Version 0.5.2 contains a fix for this issue. (CVE-2024-25117)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://security-tracker.debian.org/tracker/source-package/php-dompdf-svg-lib
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3d322688");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-50251");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-50252");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-25117");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/php-dompdf-svg-lib");
  script_set_attribute(attribute:"solution", value:
"Upgrade the php-dompdf-svg-lib packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-50252");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-dompdf-svg-lib");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '12.0', 'prefix': 'php-dompdf-svg-lib', 'reference': '0.5.0-3+deb12u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-dompdf-svg-lib');
}

VendorProductVersionCPE
debiandebian_linuxphp-dompdf-svg-libp-cpe:/a:debian:debian_linux:php-dompdf-svg-lib
debiandebian_linux12.0cpe:/o:debian:debian_linux:12.0