Summary: | <media-gfx/prusaslicer-2.3.1: remote code execution via malicious input (CVE-2020-{28594,28598}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | 3dprint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://talosintelligence.com/vulnerability_reports/TALOS-2020-1222 | ||
Whiteboard: | ~2 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2021-07-09 18:34:38 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. CVE-2020-28594: A use-after-free vulnerability exists in the _3MF_Importer::_handle_end_model() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. These two vulnerabilities were fixed in PrusaSlicer 2.3.1-rc, the oldest version we still have in tree is 2.4.0. https://github.com/prusa3d/PrusaSlicer/releases/tag/version_2.3.1-rc Thanks! All done. |