783534 – (CVE-2020-28590) media-gfx/slic3r: OOB read (CVE-2020-28590)

Bug 783534 (CVE-2020-28590) - media-gfx/slic3r: OOB read (CVE-2020-28590)

Summary: media-gfx/slic3r: OOB read (CVE-2020-28590)

Status:	RESOLVED FIXED

Alias:	CVE-2020-28590

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://talosintelligence.com/vulnera...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-04-18 00:34 UTC by John Helmert III
Modified:	2022-10-17 14:27 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-04-18 00:34:32 UTC

CVE-2020-28590:

An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted obj file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

Comment 1 Dennis Lamm gentoo-dev

2021-06-07 04:32:32 UTC

Upstream Issue: https://github.com/slic3r/Slic3r/issues/5074

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:22:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:31:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:39:13 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:47:22 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:03:20 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:11:37 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Andreas K. Hüttel archtester

2022-10-16 17:14:28 UTC

Nothing upstream so far.

Comment 9 Piotr Karbowski (RETIRED) gentoo-dev

2022-10-17 09:14:27 UTC

We no longer have this package in tree. Closing.

Comment 10 John Helmert III archtester

2022-10-17 14:27:21 UTC

(In reply to Piotr Karbowski from comment #9)
> We no longer have this package in tree. Closing.

... which isn't what you should do for security bugs. As far as we're concerned, the vulnerability is fixed in ::gentoo.