Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mM3FyLXFyNHgtajI3M84AA5bM
php-svg-lib lacks path validation on font through SVG inline styles
Summary
php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.
Details
The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family
and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName
value to other libraries. The same check as done in the Style::fromStyleSheets might be reused :
if (
\array_key_exists("font-family", $styles)
&& (
\strtolower(\substr($this->href, 0, 7)) === "phar://"
|| ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
)
) {
unset($style["font-family"]);
}
PoC
Parsing the following SVG :
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
</svg>
will pass the phar:///path/to/whatever.phar/blaklis
as $family
in SurfaceCpdf::setFont
, which is then passed to the canvas selectFont
as a $fontName
.
Impact
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName
that is passed by php-svg-lib
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mM3FyLXFyNHgtajI3M84AA5bM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 2 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Identifiers: GHSA-f3qr-qr4x-j273, CVE-2024-25117
References:
- https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273
- https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa
- https://github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42
- https://nvd.nist.gov/vuln/detail/CVE-2024-25117
- https://github.com/advisories/GHSA-f3qr-qr4x-j273
Blast Radius: 29.4
Affected Packages
packagist:phenx/php-svg-lib
Dependent packages: 39Dependent repositories: 20,777
Downloads: 92,616,298 total
Affected Version Ranges: < 0.5.2
Fixed in: 0.5.2
All affected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.4.0, 0.4.1, 0.5.0, 0.5.1
All unaffected versions: 0.5.2, 0.5.3, 0.5.4