CVE-2021-45342 (https://github.com/LibreCAD/LibreCAD/issues/1464): A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document. CVE-2021-45343 (https://github.com/LibreCAD/LibreCAD/issues/1468): In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document. CVE-2021-45341 (https://github.com/LibreCAD/LibreCAD/issues/1462): A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document. Patches exist at each issue URL.
Not that in debian[1] there are ready to use patches for vulnerabilities listed in both bugs (this and #825362) [1]: https://packages.debian.org/source/bullseye/librecad.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae3b58318840afcd6c3dfa9d8b9310c68136527f commit ae3b58318840afcd6c3dfa9d8b9310c68136527f Author: Alexander Golubev <fatzer2@gmail.com> AuthorDate: 2022-11-07 08:11:20 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-11-28 07:05:29 +0000 media-gfx/librecad: several improvements * bump to EAPI=8 * fix tranlation install * fix live ebuild installation * patch several CVEs Bug: https://bugs.gentoo.org/847394 Bug: https://bugs.gentoo.org/852941 Bug: https://bugs.gentoo.org/825362 Bug: https://bugs.gentoo.org/832210 Closes: https://bugs.gentoo.org/878925 Signed-off-by: Alexander Golubev <fatzer2@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/28164 Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-gfx/librecad/Manifest | 1 + media-gfx/librecad/librecad-2.1.3-r7.ebuild | 99 +++++++++++++++++++++++++++++ media-gfx/librecad/librecad-9999.ebuild | 37 +++++++++-- 3 files changed, 133 insertions(+), 4 deletions(-)
It's very hard to track which patches fix which vulnerabilities if they're all in an opaque tarball. Can you comment here and in the other bug with which patches fix which issues?
(In reply to John Helmert III from comment #3) > It's very hard to track which patches fix which vulnerabilities if they're > all in an opaque tarball. Can you comment here and in the other bug with > which patches fix which issues? The patches have the CVE number in their names and gentoo bug references in their headers. The vulnerabilities mentioned by this bug are fixed respectively by next patches: librecad-2.1.3-CVE-2021-45341.patch librecad-2.1.3-CVE-2021-45342.patch librecad-2.1.3-CVE-2021-45343.patch The reason for grouping the patches in a tarball is that the CVE-2021-21899 patch is quite large and is failing the file size QA's if placed in the tree (see juippis's PR comments[1]). You can also see the list of patches in the associated repo[2]. PS: I'm not sure how I could have made it easier to track and/or more transparent than that... [1]: https://github.com/gentoo/gentoo/pull/28164#issuecomment-1325454462 [2]: https://github.com/Fat-Zer/librecad-gentoo-CVE-patches
Yeah, I agree it's a pain. A thought just occurred to me - maybe it would be better for everyone to explicitly enumerate the patches added via eapply rather than simply passing the directory name? Anyway, thank you! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d28e84965281e2132f116892a7ea278ba5206c6 commit 4d28e84965281e2132f116892a7ea278ba5206c6 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2023-01-25 04:27:09 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-25 04:27:09 +0000 media-gfx/librecad: drop 2.1.3-r6 Bug: https://bugs.gentoo.org/825362 Bug: https://bugs.gentoo.org/832210 Signed-off-by: John Helmert III <ajak@gentoo.org> media-gfx/librecad/librecad-2.1.3-r6.ebuild | 58 ----------------------------- 1 file changed, 58 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4243e3bd56259f99508a2874b98aa456257f51e8 commit 4243e3bd56259f99508a2874b98aa456257f51e8 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:44:16 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:35 +0000 [ GLSA 202305-26 ] LibreCAD: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/825362 Bug: https://bugs.gentoo.org/832210 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-26.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done!
