867325 – (CVE-2022-0496, CVE-2022-0497) <media-gfx/openscad-2021.01-r4: multiple vulnerabilities

Bug 867325 (CVE-2022-0496, CVE-2022-0497) - <media-gfx/openscad-2021.01-r4: multiple vulnerabilities

Summary: <media-gfx/openscad-2021.01-r4: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-0496, CVE-2022-0497

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:	PullRequest

Depends on:	867748
Blocks:
	Show dependency tree

Reported:	2022-08-29 16:44 UTC by John Helmert III
Modified:	2022-09-03 15:59 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/27113
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-08-29 16:44:25 UTC

CVE-2022-0496 (https://github.com/openscad/openscad/issues/4037):

A vulnerbiility was found in Openscad, where a DXF-format drawing with particular (not necessarily malformed!) properties may cause an out-of-bounds memory access when imported using import().

Patches: https://github.com/openscad/openscad/commit/770e3234cbfe66edbc0333f796b46d36a74aa652
https://github.com/openscad/openscad/commit/00a4692989c4e2f191525f73f24ad8727bacdf41

CVE-2022-0497 (https://github.com/openscad/openscad/issues/4043):

A vulnerbiility was found in Openscad, where a .scad file with no trailing newline could cause an out-of-bounds read during parsing of annotations.

Patch: https://github.com/openscad/openscad/commit/78a82cf31767bda6969d8ea2eb851dc24c12b4b0

Comment 1 Bernd 2022-08-31 07:27:51 UTC

Both issues are already addressed in -r4. See the patches ${FILESDIR}/${P}-CVE-2022-0496-Out-of-bounds-memory-access-in-DXF-loa.patch and ${FILESDIR}/${P}-CVE-2022-0497-Out-of-bounds-memory-access-in-comment.patch as well as the git log of the latest commit.

Comment 2 Bernd 2022-08-31 07:46:43 UTC

I was already thinking about stabilizing -r4, when this bug showed up. Going to open a stabilization request later this day.

Comment 3 John Helmert III archtester

2022-09-01 19:30:47 UTC

Ah, please remember to file security bugs when you notice security fixes! And now that stabilization is done, please cleanup -r3.

Comment 4 Bernd 2022-09-02 14:12:11 UTC

Oh no problem. Didn't know it should file a security bug in such cases.

Comment 5 Larry the Git Cow gentoo-dev

2022-09-02 16:50:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9ff34202290af6646ebe66f4549ac1117df6755

commit f9ff34202290af6646ebe66f4549ac1117df6755
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-09-02 14:21:05 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-09-02 16:49:02 +0000

    media-gfx/openscad: drop 2021.01-r3
    
    Bug: https://bugs.gentoo.org/867325
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/27113
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-gfx/openscad/openscad-2021.01-r3.ebuild | 106 --------------------------
 1 file changed, 106 deletions(-)

Comment 6 John Helmert III archtester

2022-09-03 15:59:39 UTC

OOB read is not clearly exploitable, no GLSA. All done!