Summary: | sci-electronics/gerbv: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | sci-electronics |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-02-05 04:26:46 UTC
Description: Seems like Talos reported a bunch of vulnerabilities over the course of several months, though one can only find that these were fixed via the gerbv releases page, rather than with CVE references. https://github.com/gerbv/gerbv/releases CVE-2021-40391 (https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1402): An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2021-40394 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404): An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260). A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2021-40393 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1404): An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit 71493260). A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVE-2021-40400 (https://talosintelligence.com/vulnerability_reports/TALOS-2021-1413): An out-of-bounds read vulnerability exists in the RS-274X aperture macro outline primitive functionality of Gerbv 2.7.0 and dev (commit b5f1eacd) and the forked version of Gerbv (commit d7f42a9a). A specially-crafted Gerber file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability. So, fixes are in 2.9.2. Ping. Please add gerbv-2.9.2 or newer to fix these security issues. |