Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775362 (CVE-2021-21772) - <media-libs/lib3mf-2.1.1: Use-after-free (CVE-2021-21772)
Summary: <media-libs/lib3mf-2.1.1: Use-after-free (CVE-2021-21772)
Status: RESOLVED FIXED
Alias: CVE-2021-21772
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-03-11 06:43 UTC by Sam James
Modified: 2022-08-04 14:03 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/lib3mf-2.1.1-r1 amd64 x86 dev-go/act-1.6.0 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-03-11 06:43:52 UTC
Description:
"A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability."

Fixed in 2.1.1: https://github.com/3MFConsortium/lib3mf/releases/tag/v2.1.1.

Disclosure: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1226

Note that it's unclear if the older 1.8.1 is affected but this will mean there's some priority in getting keywords back for arm64, x86 in case it is.
Comment 1 Bernd 2021-03-11 07:21:33 UTC
Thanks Sam. Talked to juippis already last week about the keywording issue and the related act package.
I'm gonna look into bumping the package.
Comment 2 Bernd 2021-03-12 21:48:42 UTC
I checked the tag 1.8.1 files. AFAICS the code has the same vulnerability. The patch looks relatively easy. If the addition of the act package takes too long, we can think of backporting the patch to 1.8.1
Comment 3 Larry the Git Cow gentoo-dev 2021-03-14 08:41:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=912dfd38e9a2a55f289804a23b083c5b03577064

commit 912dfd38e9a2a55f289804a23b083c5b03577064
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-03-12 21:37:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-03-14 08:41:05 +0000

    media-libs/lib3mf: bump to 2.1.1
    
    Vulnerability fix (CVE-2021-21772)
    
    Bug: https://bugs.gentoo.org/775362
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-libs/lib3mf/Manifest            |  1 +
 media-libs/lib3mf/lib3mf-2.1.1.ebuild | 67 +++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-14 15:09:58 UTC
Thank you! Were ~arm64 and x86 intentionally dropped?
Comment 5 Bernd 2021-03-14 18:20:11 UTC
(In reply to John Helmert III from comment #4)
> Thank you! Were ~arm64 and x86 intentionally dropped?

No, the package uses the Automatic Component Toolkit, included as binaries only for amd64, darwin and windows. A package for it is currently in progress, see https://github.com/gentoo/gentoo/pull/19411.

Actually for this reason, I'd prefer to wait with stabilization until this package has been merged and the update to use that package is in place, so we can re-keyword as well. 
Why the hurry? The vulnerability is IMO not a severe one. The package has only one consumer so far and I haven't heard of sharing 3MF files has become a trend lately, so I see the possibility to get one such specially crafted 3MF as rather rare.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-15 14:04:30 UTC
(In reply to Bernd from comment #5)
> (In reply to John Helmert III from comment #4)
> > Thank you! Were ~arm64 and x86 intentionally dropped?
> 
> No, the package uses the Automatic Component Toolkit, included as binaries
> only for amd64, darwin and windows. A package for it is currently in
> progress, see https://github.com/gentoo/gentoo/pull/19411.
> 
> Actually for this reason, I'd prefer to wait with stabilization until this
> package has been merged and the update to use that package is in place, so
> we can re-keyword as well. 
> Why the hurry? The vulnerability is IMO not a severe one. The package has
> only one consumer so far and I haven't heard of sharing 3MF files has become
> a trend lately, so I see the possibility to get one such specially crafted
> 3MF as rather rare.

The risk with these kinds of things is if someone can coerce a victim into using the crafted files. Not much hurry, we can't really proceed with the dropped keywords anyway.
Comment 7 NATTkA bot gentoo-dev 2021-04-10 04:28:26 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-04-10 07:00:27 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-04-10 07:48:35 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-04-16 13:57:14 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-04-16 14:00:29 UTC Comment hidden (obsolete)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-16 14:35:28 UTC
Ready?
Comment 13 Bernd 2021-04-26 20:13:53 UTC
Yes go on, please.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-27 18:01:33 UTC
amd64 done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-27 18:02:31 UTC
x86 done

all arches done
Comment 16 Bernd 2021-04-27 18:16:04 UTC
Thanks shall we wait until https://bugs.gentoo.org/785880 is finished and stabilize it as well?
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-20 22:00:25 UTC
Please cleanup.
Comment 18 Larry the Git Cow gentoo-dev 2021-05-22 18:07:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=597aa89b98cffb21a4d8c7f3ca4e32dc44fb44cd

commit 597aa89b98cffb21a4d8c7f3ca4e32dc44fb44cd
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2021-05-22 16:26:24 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-05-22 18:06:53 +0000

    media-libs/lib3mf: drop 1.8.1
    
    Security cleanup
    
    Bug: https://bugs.gentoo.org/775362
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/20931
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-libs/lib3mf/Manifest                         |  1 -
 ...ntoo-specific-avoid-pre-stripping-library.patch | 27 ----------
 ...-1.8.1-0002-Add-library-link-dependencies.patch | 59 ----------------------
 ....8.1-0003-Change-installation-include-dir.patch | 44 ----------------
 ...4-Gentoo-specific-Remove-gtest-source-dir.patch | 35 -------------
 media-libs/lib3mf/lib3mf-1.8.1.ebuild              | 48 ------------------
 media-libs/lib3mf/lib3mf-2.1.1-r1.ebuild           |  4 --
 7 files changed, 218 deletions(-)
Comment 19 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 18:08:12 UTC
Thanks!
Comment 20 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 04:16:47 UTC
GLSA request filed.
Comment 21 Larry the Git Cow gentoo-dev 2022-08-04 14:02:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=73273f0a239840f179bb67f77b10d34f3a3252e2

commit 73273f0a239840f179bb67f77b10d34f3a3252e2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-04 13:52:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-04 13:59:22 +0000

    [ GLSA 202208-01 ] 3MF Consortium lib3mf: Remote code execution
    
    Bug: https://bugs.gentoo.org/775362
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 22 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-04 14:03:49 UTC
GLSA released, all done!