Description: "A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability." Fixed in 2.1.1: https://github.com/3MFConsortium/lib3mf/releases/tag/v2.1.1. Disclosure: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1226 Note that it's unclear if the older 1.8.1 is affected but this will mean there's some priority in getting keywords back for arm64, x86 in case it is.
Thanks Sam. Talked to juippis already last week about the keywording issue and the related act package. I'm gonna look into bumping the package.
I checked the tag 1.8.1 files. AFAICS the code has the same vulnerability. The patch looks relatively easy. If the addition of the act package takes too long, we can think of backporting the patch to 1.8.1
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=912dfd38e9a2a55f289804a23b083c5b03577064 commit 912dfd38e9a2a55f289804a23b083c5b03577064 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-12 21:37:58 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-14 08:41:05 +0000 media-libs/lib3mf: bump to 2.1.1 Vulnerability fix (CVE-2021-21772) Bug: https://bugs.gentoo.org/775362 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/lib3mf/Manifest | 1 + media-libs/lib3mf/lib3mf-2.1.1.ebuild | 67 +++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+)
Thank you! Were ~arm64 and x86 intentionally dropped?
(In reply to John Helmert III from comment #4) > Thank you! Were ~arm64 and x86 intentionally dropped? No, the package uses the Automatic Component Toolkit, included as binaries only for amd64, darwin and windows. A package for it is currently in progress, see https://github.com/gentoo/gentoo/pull/19411. Actually for this reason, I'd prefer to wait with stabilization until this package has been merged and the update to use that package is in place, so we can re-keyword as well. Why the hurry? The vulnerability is IMO not a severe one. The package has only one consumer so far and I haven't heard of sharing 3MF files has become a trend lately, so I see the possibility to get one such specially crafted 3MF as rather rare.
(In reply to Bernd from comment #5) > (In reply to John Helmert III from comment #4) > > Thank you! Were ~arm64 and x86 intentionally dropped? > > No, the package uses the Automatic Component Toolkit, included as binaries > only for amd64, darwin and windows. A package for it is currently in > progress, see https://github.com/gentoo/gentoo/pull/19411. > > Actually for this reason, I'd prefer to wait with stabilization until this > package has been merged and the update to use that package is in place, so > we can re-keyword as well. > Why the hurry? The vulnerability is IMO not a severe one. The package has > only one consumer so far and I haven't heard of sharing 3MF files has become > a trend lately, so I see the possibility to get one such specially crafted > 3MF as rather rare. The risk with these kinds of things is if someone can coerce a victim into using the crafted files. Not much hurry, we can't really proceed with the dropped keywords anyway.
Unable to check for sanity: > no match for package: media-libs/lib3mf-2.1.1
Sanity check failed: > media-libs/lib3mf-2.1.1-r1 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > dev-go/act > bdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-go/act
All sanity-check issues have been resolved
Ready?
Yes go on, please.
amd64 done
x86 done all arches done
Thanks shall we wait until https://bugs.gentoo.org/785880 is finished and stabilize it as well?
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=597aa89b98cffb21a4d8c7f3ca4e32dc44fb44cd commit 597aa89b98cffb21a4d8c7f3ca4e32dc44fb44cd Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-05-22 16:26:24 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-05-22 18:06:53 +0000 media-libs/lib3mf: drop 1.8.1 Security cleanup Bug: https://bugs.gentoo.org/775362 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/20931 Signed-off-by: John Helmert III <ajak@gentoo.org> media-libs/lib3mf/Manifest | 1 - ...ntoo-specific-avoid-pre-stripping-library.patch | 27 ---------- ...-1.8.1-0002-Add-library-link-dependencies.patch | 59 ---------------------- ....8.1-0003-Change-installation-include-dir.patch | 44 ---------------- ...4-Gentoo-specific-Remove-gtest-source-dir.patch | 35 ------------- media-libs/lib3mf/lib3mf-1.8.1.ebuild | 48 ------------------ media-libs/lib3mf/lib3mf-2.1.1-r1.ebuild | 4 -- 7 files changed, 218 deletions(-)
Thanks!
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=73273f0a239840f179bb67f77b10d34f3a3252e2 commit 73273f0a239840f179bb67f77b10d34f3a3252e2 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-08-04 13:52:26 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-08-04 13:59:22 +0000 [ GLSA 202208-01 ] 3MF Consortium lib3mf: Remote code execution Bug: https://bugs.gentoo.org/775362 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202208-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!
