Problem/Motivation
There are several vulnerabilities in the dompdf library that Entity print module installs as a dependency.
I noticed while upgrading other modules with Composer that composer audit resulted in following report:
Found 4 security vulnerability advisories affecting 2 packages:
Found 4 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | dompdf/dompdf |
| Severity | medium |
| CVE | CVE-2023-50262 |
| Title | Denial of service caused by infinite recursion when parsing SVG images |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2023-50262 |
| Affected versions | <2.0.4 |
| Reported at | 2023-12-12T09:17:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phenx/php-svg-lib |
| Severity | critical |
| CVE | NO CVE |
| Title | Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction |
| | bypass and potential RCE |
| URL | https://github.com/advisories/GHSA-97m3-52wr-xvv2 |
| Affected versions | <0.5.2 |
| Reported at | 2024-02-22T18:15:41+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phenx/php-svg-lib |
| Severity | medium |
| CVE | CVE-2024-25117 |
| Title | php-svg-lib lacks path validation on font through SVG inline styles |
| URL | https://github.com/advisories/GHSA-f3qr-qr4x-j273 |
| Affected versions | <0.5.2 |
| Reported at | 2024-02-21T18:04:16+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phenx/php-svg-lib |
| Severity | medium |
| CVE | CVE-2023-50251 |
| Title | Denial of service caused by infinite recursion when parsing SVG document |
| URL | https://github.com/advisories/GHSA-ff5x-7qg5-vwf2 |
| Affected versions | <0.5.1 |
| Reported at | 2023-12-13T13:32:21+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Updating the module alone didn't help but after updating the module with composer update drupal/entity_print -W I was able to bump the module to secure version 2.0.7.
This is not automated and can easily slip by. I would suggest that the module would change to a minimum version of 2.0.7 to reduce the risk of a security issue.
Currently the module is only suggesting a very old version of dompdf: https://git.drupalcode.org/project/entity_print/-/blob/8.x-1.x/composer....
Steps to reproduce
This cannot be reproduced with a new installation because it will most likely install the latest dompdf version. But it can be produced with an existing Entity print installation with composer.lock where updating the module won't update the dependencies without the -W flag.
Proposed resolution
We should add dompdf as a requirement and bump the required version to a safe one.
This can be done by changing the composer.json requirement to
"dompdf/dompdf": ">=2.0.7",
Remaining tasks
Change the composer.json file and make a changelog.
User interface changes
None.
API changes
None.
Data model changes
None.
