Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 773217 (CVE-2020-28599)

Summary: <media-gfx/openscad-2021.01: RCE via crafted STL file (CVE-2020-28599)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: proxy-maint, waebbl-gentoo
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1223
See Also: https://github.com/gentoo/gentoo/pull/19714
https://github.com/gentoo/gentoo/pull/20657
Whiteboard: B2 [glsa+ cve]
Package list:
media-gfx/openscad-2021.01
Runtime testing required: ---
Bug Depends on: 769278    
Bug Blocks:    

Description John Helmert III gentoo-dev Security 2021-02-27 02:15:06 UTC
CVE-2020-28599:

A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-03-07 09:03:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=764dd0f081d723d9593097055614cff5fb2b265a

commit 764dd0f081d723d9593097055614cff5fb2b265a
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-06 22:59:37 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-07 09:03:07 +0000

    media-gfx/openscad: bump to 2021.01
    
    Bug: https://bugs.gentoo.org/773217
    Closes: https://bugs.gentoo.org/769278
    Package-Manager: Portage-3.0.16, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/19412
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-gfx/openscad/Manifest                        |   1 +
 ...1-Gentoo-specific-Disable-ccache-building.patch |  32 ++++++
 ...penscad-2021.01-0002-fix-to-find-lib3mf-2.patch |  43 ++++++++
 media-gfx/openscad/openscad-2021.01.ebuild         | 110 +++++++++++++++++++++
 4 files changed, 186 insertions(+)
Comment 2 Bernd 2021-03-07 09:07:34 UTC
As the package isn't system related, I'd propose to wait a week or two before starting stabilization.
Comment 3 Bernd 2021-04-09 21:19:50 UTC
Please stabilize
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-04-11 00:14:20 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-05-01 18:20:54 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Larry the Git Cow gentoo-dev 2021-05-04 22:02:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c017ffe1777b31221ca4243c3cf4ed729ccc6ea

commit 4c017ffe1777b31221ca4243c3cf4ed729ccc6ea
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-02 12:21:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-04 22:00:51 +0000

    media-gfx/openscad: drop 2019.05
    
    Security cleanup (CVE-2020-28599)
    
    Bug: https://bugs.gentoo.org/773217
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/20657
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/openscad/Manifest                        |   1 -
 ...ad-2019.05-0001-Fix-build-with-boost-1.73.patch |  28 -----
 ...2-Gentoo-specific-Disable-ccache-building.patch |  35 -------
 ...ad-2019.05-0003-change-C-standard-to-c-14.patch |  76 --------------
 .../openscad-2019.05_fix-boost-1.72.0-build.patch  |  27 -----
 media-gfx/openscad/metadata.xml                    |   3 -
 media-gfx/openscad/openscad-2019.05-r5.ebuild      | 115 ---------------------
 7 files changed, 285 deletions(-)
Comment 7 John Helmert III gentoo-dev Security 2021-07-15 03:15:26 UTC
GLSA request filed
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-07-15 05:19:30 UTC
This issue was resolved and addressed in
 GLSA 202107-35 at https://security.gentoo.org/glsa/202107-35
by GLSA coordinator John Helmert III (ajak).