Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 825362 (CVE-2021-21898, CVE-2021-21899, CVE-2021-21900)

Summary: <media-gfx/librecad-2.1.3-r7: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fatzer2, maintainer-needed
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/28164
Whiteboard: B2 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 832210, 891881    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-20 20:45:22 UTC
CVE-2021-21898 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1349):

A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21899 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1350):

A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-21900 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1351):

A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dxf file can lead to a use-after-free vulnerability. An attacker can provide a malicious file to trigger this vulnerability.


Can't derive a fixed version from these reports.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-28 07:05:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae3b58318840afcd6c3dfa9d8b9310c68136527f

commit ae3b58318840afcd6c3dfa9d8b9310c68136527f
Author:     Alexander Golubev <fatzer2@gmail.com>
AuthorDate: 2022-11-07 08:11:20 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-28 07:05:29 +0000

    media-gfx/librecad: several improvements
    
    * bump to EAPI=8
    * fix tranlation install
    * fix live ebuild installation
    * patch several CVEs
    
    Bug: https://bugs.gentoo.org/847394
    Bug: https://bugs.gentoo.org/852941
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Closes: https://bugs.gentoo.org/878925
    Signed-off-by: Alexander Golubev <fatzer2@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/28164
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-gfx/librecad/Manifest                 |  1 +
 media-gfx/librecad/librecad-2.1.3-r7.ebuild | 99 +++++++++++++++++++++++++++++
 media-gfx/librecad/librecad-9999.ebuild     | 37 +++++++++--
 3 files changed, 133 insertions(+), 4 deletions(-)
Comment 2 Fat-Zer 2022-11-28 19:32:47 UTC
As asked in the neighbour bug, the mentioned CVEs are fixed respectively with the following patches:

 librecad-2.1.3-CVE-2021-21898.patch
 librecad-2.1.3-CVE-2021-21899.patch
 librecad-2.1.3-CVE-2021-21900.patch

The patches from the tarball are available in a dedicated repo[1].

[1]: https://github.com/Fat-Zer/librecad-gentoo-CVE-patches
Comment 3 Larry the Git Cow gentoo-dev 2023-01-25 04:29:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d28e84965281e2132f116892a7ea278ba5206c6

commit 4d28e84965281e2132f116892a7ea278ba5206c6
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-25 04:27:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-25 04:27:09 +0000

    media-gfx/librecad: drop 2.1.3-r6
    
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-gfx/librecad/librecad-2.1.3-r6.ebuild | 58 -----------------------------
 1 file changed, 58 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 18:59:04 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2023-05-21 19:52:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4243e3bd56259f99508a2874b98aa456257f51e8

commit 4243e3bd56259f99508a2874b98aa456257f51e8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:44:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:35 +0000

    [ GLSA 202305-26 ] LibreCAD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-26.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-21 19:53:14 UTC
GLSA released, all done!