CVE-2020-28599: A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=764dd0f081d723d9593097055614cff5fb2b265a commit 764dd0f081d723d9593097055614cff5fb2b265a Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-06 22:59:37 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-07 09:03:07 +0000 media-gfx/openscad: bump to 2021.01 Bug: https://bugs.gentoo.org/773217 Closes: https://bugs.gentoo.org/769278 Package-Manager: Portage-3.0.16, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/19412 Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-gfx/openscad/Manifest | 1 + ...1-Gentoo-specific-Disable-ccache-building.patch | 32 ++++++ ...penscad-2021.01-0002-fix-to-find-lib3mf-2.patch | 43 ++++++++ media-gfx/openscad/openscad-2021.01.ebuild | 110 +++++++++++++++++++++ 4 files changed, 186 insertions(+)
As the package isn't system related, I'd propose to wait a week or two before starting stabilization.
Please stabilize
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c017ffe1777b31221ca4243c3cf4ed729ccc6ea commit 4c017ffe1777b31221ca4243c3cf4ed729ccc6ea Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-05-02 12:21:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-04 22:00:51 +0000 media-gfx/openscad: drop 2019.05 Security cleanup (CVE-2020-28599) Bug: https://bugs.gentoo.org/773217 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/20657 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/openscad/Manifest | 1 - ...ad-2019.05-0001-Fix-build-with-boost-1.73.patch | 28 ----- ...2-Gentoo-specific-Disable-ccache-building.patch | 35 ------- ...ad-2019.05-0003-change-C-standard-to-c-14.patch | 76 -------------- .../openscad-2019.05_fix-boost-1.72.0-build.patch | 27 ----- media-gfx/openscad/metadata.xml | 3 - media-gfx/openscad/openscad-2019.05-r5.ebuild | 115 --------------------- 7 files changed, 285 deletions(-)
GLSA request filed
This issue was resolved and addressed in GLSA 202107-35 at https://security.gentoo.org/glsa/202107-35 by GLSA coordinator John Helmert III (ajak).
