GHSA-f3qr-qr4x-j273

Опубликовано: 21 фев. 2024

Источник: github

Github: Прошло ревью

CVSS3: 6.8

Описание

php-svg-lib lacks path validation on font through SVG inline styles

Summary

php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.

Details

The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName value to other libraries. The same check as done in the Style::fromStyleSheets might be reused :

if ( \array_key_exists("font-family", $styles) && ( \strtolower(\substr($this->href, 0, 7)) === "phar://" || ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:") ) ) { unset($style["font-family"]); }

PoC

Parsing the following SVG :

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> <text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text> </svg>

will pass the phar:///path/to/whatever.phar/blaklis as $family in SurfaceCpdf::setFont, which is then passed to the canvas selectFont as a $fontName.

Impact

Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName that is passed by php-svg-lib

Ссылки

Пакеты

Наименование

phenx/php-svg-lib

composer

Затронутые версииВерсия исправления

< 0.5.2

0.5.2

EPSS

Процентиль: 31%

0.00112

Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-25117

Дефекты

CWE-502

CWE-610

CWE-73

Связанные уязвимости

CVE-2024-25117

CVSS3: 6.8

nvd

больше 1 года назад

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering library. Prior to version 0.5.2, php-svg-lib fails to validate that font-family doesn't contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn't validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib. The `Style::fromAttributes(`), or the `Style::parseCssStyle()` should check the content of the `font-family` and prevents it to use a PHAR url, to avoid passing an invalid and dangerous `fontName` value to other libraries. The same check as done in the `Style::fromStyleSheets` might be reused. Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even remote code execution, if they do not double check the value of the `fontName` that is passed by php-svg-lib. Version 0.5.2 contains a fix for this issue.

CVE-2024-25117

CVSS3: 6.8

debian

больше 1 года назад

php-svg-lib is a scalable vector graphics (SVG) file parsing/rendering ...

BDU:2024-04470

CVSS3: 6.8

fstec

больше 1 года назад

Уязвимость библиотеки анализа и рендеринга файлов векторной графики php-svg-lib, связанная с некорректным внешним управлением именем или путем файла, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 31%

0.00112

Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-25117

Дефекты

CWE-502

CWE-610

CWE-73