CVE-2024-56520

NameCVE-2024-56520
DescriptionAn issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4199-1
Debian Bugs1091686

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tcpdf (PTS)bullseye6.3.5+dfsg1-1vulnerable
bookworm6.6.2+dfsg1-1vulnerable
sid, trixie6.9.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tcpdfsourcebullseye6.3.5+dfsg1-1+deb11u1DLA-4199-1
tcpdfsource(unstable)6.8.0+dfsg-11091686

Notes

Fixed by: https://github.com/tecnickcom/TCPDF/commit/a0a02efe487cc39bd5223359e916dbeafb5cd6fe (6.8.0)
Search for package or bug name: Reporting problems