CIVI-SA-2016-06: Bundled TCPDF library update

Opublikowane
2016-03-01 18:58
Written by

A bundled library, TCPDF, had a recent security flaw patched. This vulnerability permitted a malicious user to make the PDF library perform unexpected actions, potentially permitting data disclosure. This was mitigated by the fact that only administrative users have access to the PDF generation functionality which uses TCPDF.

Security Risk
Less Critical
Vulnerability
Other
Affected Versions

Up through v4.6.13 and v4.7.2

 

Fixed Versions

v4.6.14+ and v4.7.3+

 

Solutions

Any ONE of the following:

  • Upgrade to CiviCRM v4.6.14+ or v4.7.3+ (recommended)
  • Apply the patch from https://github.com/civicrm/civicrm-packages/pull/143
  • Manually update the bundled TCPDF in CiviCRM
  • Secure TCPDF as documented in http://labs.detectify.com/post/114572572966/stealing-files-from-web-servers-by-exploiting-a
Credits
  • Dmitry Smirnov (RAID6.com.au)
  • Chris Burgess (Fuzion)