Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832210 (CVE-2021-45341, CVE-2021-45342, CVE-2021-45343) - <media-gfx/librecad-2.1.3-r7: multiple vulnerabilities
Summary: <media-gfx/librecad-2.1.3-r7: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-45341, CVE-2021-45342, CVE-2021-45343
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on: 891881
Blocks: CVE-2021-21898, CVE-2021-21899, CVE-2021-21900
  Show dependency tree
 
Reported: 2022-01-28 14:02 UTC by John Helmert III
Modified: 2023-05-21 19:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-28 14:02:27 UTC
CVE-2021-45342 (https://github.com/LibreCAD/LibreCAD/issues/1464):

A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

CVE-2021-45343 (https://github.com/LibreCAD/LibreCAD/issues/1468):

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document.

CVE-2021-45341 (https://github.com/LibreCAD/LibreCAD/issues/1462):

A buffer overflow vulnerability in CDataMoji of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.

Patches exist at each issue URL.
Comment 1 Fat-Zer 2022-06-18 19:08:34 UTC
Not that in debian[1] there are ready to use patches for vulnerabilities listed in both bugs (this and #825362)

  [1]: https://packages.debian.org/source/bullseye/librecad.
Comment 2 Larry the Git Cow gentoo-dev 2022-11-28 07:05:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae3b58318840afcd6c3dfa9d8b9310c68136527f

commit ae3b58318840afcd6c3dfa9d8b9310c68136527f
Author:     Alexander Golubev <fatzer2@gmail.com>
AuthorDate: 2022-11-07 08:11:20 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-28 07:05:29 +0000

    media-gfx/librecad: several improvements
    
    * bump to EAPI=8
    * fix tranlation install
    * fix live ebuild installation
    * patch several CVEs
    
    Bug: https://bugs.gentoo.org/847394
    Bug: https://bugs.gentoo.org/852941
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Closes: https://bugs.gentoo.org/878925
    Signed-off-by: Alexander Golubev <fatzer2@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/28164
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 media-gfx/librecad/Manifest                 |  1 +
 media-gfx/librecad/librecad-2.1.3-r7.ebuild | 99 +++++++++++++++++++++++++++++
 media-gfx/librecad/librecad-9999.ebuild     | 37 +++++++++--
 3 files changed, 133 insertions(+), 4 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-28 17:23:45 UTC
It's very hard to track which patches fix which vulnerabilities if they're all in an opaque tarball. Can you comment here and in the other bug with which patches fix which issues?
Comment 4 Fat-Zer 2022-11-28 19:18:59 UTC
(In reply to John Helmert III from comment #3)
> It's very hard to track which patches fix which vulnerabilities if they're
> all in an opaque tarball. Can you comment here and in the other bug with
> which patches fix which issues?

The patches have the CVE number in their names and gentoo bug references in their headers. The vulnerabilities mentioned by this bug are fixed respectively by next patches:

  librecad-2.1.3-CVE-2021-45341.patch
  librecad-2.1.3-CVE-2021-45342.patch
  librecad-2.1.3-CVE-2021-45343.patch

The reason for grouping the patches in a tarball is that the CVE-2021-21899 patch is quite large and is failing the file size QA's if placed in the tree (see juippis's PR comments[1]). You can also see the list of patches in the associated repo[2].

PS: I'm not sure how I could have made it easier to track and/or more transparent than that...

 [1]: https://github.com/gentoo/gentoo/pull/28164#issuecomment-1325454462
 [2]: https://github.com/Fat-Zer/librecad-gentoo-CVE-patches
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 22:58:09 UTC
Yeah, I agree it's a pain. A thought just occurred to me - maybe it would be better for everyone to explicitly enumerate the patches added via eapply rather than simply passing the directory name?

Anyway, thank you! Please stabilize when ready.
Comment 6 Larry the Git Cow gentoo-dev 2023-01-25 04:29:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4d28e84965281e2132f116892a7ea278ba5206c6

commit 4d28e84965281e2132f116892a7ea278ba5206c6
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2023-01-25 04:27:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-25 04:27:09 +0000

    media-gfx/librecad: drop 2.1.3-r6
    
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 media-gfx/librecad/librecad-2.1.3-r6.ebuild | 58 -----------------------------
 1 file changed, 58 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 18:58:56 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2023-05-21 19:52:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4243e3bd56259f99508a2874b98aa456257f51e8

commit 4243e3bd56259f99508a2874b98aa456257f51e8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-21 19:44:16 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-05-21 19:51:35 +0000

    [ GLSA 202305-26 ] LibreCAD: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/825362
    Bug: https://bugs.gentoo.org/832210
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202305-26.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-21 19:53:06 UTC
GLSA released, all done!