| Summary: | <media-gfx/openscad-2021.01: RCE via crafted STL file (CVE-2020-28599) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | proxy-maint, waebbl-gentoo |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | Flags: | nattka:
sanity-check+
|
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://talosintelligence.com/vulnerability_reports/TALOS-2020-1223 | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/19714 https://github.com/gentoo/gentoo/pull/20657 |
||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: |
media-gfx/openscad-2021.01
|
Runtime testing required: | --- |
| Bug Depends on: | 769278 | ||
| Bug Blocks: | |||
|
Description
John Helmert III
2021-02-27 02:15:06 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=764dd0f081d723d9593097055614cff5fb2b265a commit 764dd0f081d723d9593097055614cff5fb2b265a Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-03-06 22:59:37 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2021-03-07 09:03:07 +0000 media-gfx/openscad: bump to 2021.01 Bug: https://bugs.gentoo.org/773217 Closes: https://bugs.gentoo.org/769278 Package-Manager: Portage-3.0.16, Repoman-3.0.2 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/19412 Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-gfx/openscad/Manifest | 1 + ...1-Gentoo-specific-Disable-ccache-building.patch | 32 ++++++ ...penscad-2021.01-0002-fix-to-find-lib3mf-2.patch | 43 ++++++++ media-gfx/openscad/openscad-2021.01.ebuild | 110 +++++++++++++++++++++ 4 files changed, 186 insertions(+) As the package isn't system related, I'd propose to wait a week or two before starting stabilization. Please stabilize x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c017ffe1777b31221ca4243c3cf4ed729ccc6ea commit 4c017ffe1777b31221ca4243c3cf4ed729ccc6ea Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2021-05-02 12:21:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-04 22:00:51 +0000 media-gfx/openscad: drop 2019.05 Security cleanup (CVE-2020-28599) Bug: https://bugs.gentoo.org/773217 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/20657 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/openscad/Manifest | 1 - ...ad-2019.05-0001-Fix-build-with-boost-1.73.patch | 28 ----- ...2-Gentoo-specific-Disable-ccache-building.patch | 35 ------- ...ad-2019.05-0003-change-C-standard-to-c-14.patch | 76 -------------- .../openscad-2019.05_fix-boost-1.72.0-build.patch | 27 ----- media-gfx/openscad/metadata.xml | 3 - media-gfx/openscad/openscad-2019.05-r5.ebuild | 115 --------------------- 7 files changed, 285 deletions(-) GLSA request filed This issue was resolved and addressed in GLSA 202107-35 at https://security.gentoo.org/glsa/202107-35 by GLSA coordinator John Helmert III (ajak). |