918609 – (CVE-2023-30259) <media-gfx/librecad-2.2.0.2: multiple vulnerabilities

Bug 918609 (CVE-2023-30259) - <media-gfx/librecad-2.2.0.2: multiple vulnerabilities

Summary: <media-gfx/librecad-2.2.0.2: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2023-30259

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:	PullRequest

Depends on:	940018
Blocks:
	Show dependency tree

Reported:	2023-11-26 14:07 UTC by John Helmert III
Modified:	2024-12-02 02:24 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/37352
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-11-26 14:07:29 UTC

CVE-2023-30259 (https://github.com/LibreCAD/LibreCAD/issues/1481):

A Buffer Overflow vulnerability in importshp plugin in LibreCAD 2.2.0 allows attackers to obtain sensitive information via a crafted DBF file.

Fix is in 2.2.0.1, but there's another vulnerability that the 2.2.0.2 says is fixed:
https://github.com/LibreCAD/LibreCAD/releases/tag/2.2.0.2

"An undetected vulnerability, opening malformed LFF font files caused a crash"

Needs bump to 2.2.0.2.

Comment 1 Larry the Git Cow gentoo-dev

2024-06-30 00:00:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d119747e183865a1ec18c1f851a422b489fb421a

commit d119747e183865a1ec18c1f851a422b489fb421a
Author:     Michael Mair-Keimberger <mmk@levelnine.at>
AuthorDate: 2024-06-29 10:32:23 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2024-06-29 23:54:56 +0000

    media-gfx/librecad: add 2.2.0.2
    
    Signed-off-by: Michael Mair-Keimberger <mmk@levelnine.at>
    
    Bug: https://bugs.gentoo.org/918609
    Closes: https://github.com/gentoo/gentoo/pull/37352
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 media-gfx/librecad/Manifest                |  1 +
 media-gfx/librecad/librecad-2.2.0.2.ebuild | 85 ++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-12-02 02:22:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a18ee3bb81d81c3829518d6b7d9fafe9df76d5

commit f4a18ee3bb81d81c3829518d6b7d9fafe9df76d5
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-12-02 02:21:12 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-12-02 02:21:12 +0000

    media-gfx/librecad: drop 2.1.3-r7, 2.2.0
    
    Bug: https://bugs.gentoo.org/918609
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-gfx/librecad/Manifest                        |   3 -
 .../librecad/files/librecad-2.1.3-boost-1.76.patch |  29 ---
 .../librecad/files/librecad-2.1.3-gcc-9.patch      | 209 ---------------------
 .../librecad/files/librecad-2.1.3-qt-5.11.patch    |  40 ----
 .../librecad/files/librecad-2.1.3-qt-5.15.patch    |  37 ----
 .../files/librecad-2.2.0-fix-missing-header.patch  |  29 ---
 media-gfx/librecad/librecad-2.1.3-r7.ebuild        |  99 ----------
 media-gfx/librecad/librecad-2.2.0.ebuild           |  89 ---------
 8 files changed, 535 deletions(-)