Debian Bug report logs -
#996020
openscad: Buffer overflows in STL parser (CVE-2020-28599, CVE-2020-28600)
Reported by: Kristian Nielsen <knielsen@knielsen-hq.org>
Date: Sun, 10 Oct 2021 11:27:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version openscad/2019.01~RC2-2
Fixed in version openscad/2021.01-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#996020; Package openscad.
(Sun, 10 Oct 2021 11:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kristian Nielsen <knielsen@knielsen-hq.org>:
New Bug report received and forwarded.
(Sun, 10 Oct 2021 11:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openscad
Version: 2019.01~RC2-2
Severity: important
There is a bug in the import() function in OpenSCAD when importing STL
files. Certain invalid files can cause out-of-bounds accesses, potentially
causing arbitrary code execution.
The bug is associated with these CVEs:
https://security-tracker.debian.org/tracker/CVE-2020-28599
https://security-tracker.debian.org/tracker/CVE-2020-28600
As seen in these links, the bug affects the openscad version in buster (and
stretch), but is fixed in newer upstream releases (meaning bullseye,
testing, and unstable are unaffected). The upstream fix is in this git
commit 07ea60f82e94a155f4926f17fad8e8366bc74874:
https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874
This commit contains the fix to the C++ source code. It also adds tests to
the testsuite which test for this bug.
This is considered a minor security issue. The plan is to get it fixed in
buster through a point release.
- Kristian.
-- Package-specific info:
Output of /usr/share/bug/openscad:
$ glxinfo |grep 'OpenGL .* string:'
OpenGL vendor string: Intel
OpenGL renderer string: Mesa Intel(R) UHD Graphics 620 (KBL GT2)
OpenGL core profile version string: 4.6 (Core Profile) Mesa 20.3.5
OpenGL core profile shading language version string: 4.60
OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.5
OpenGL shading language version string: 4.60
OpenGL ES profile version string: OpenGL ES 3.2 Mesa 20.3.5
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openscad depends on:
ii lib3mf1 1.8.1+ds-4
ii libboost-filesystem1.74.0 1.74.0-9
ii libboost-program-options1.74.0 1.74.0-9
ii libboost-regex1.74.0 [libboost-regex1.74.0-icu67] 1.74.0-9
ii libc6 2.31-13
ii libcairo2 1.16.0-5
ii libdouble-conversion3 3.1.5-6.1
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1
ii libgcc-s1 10.2.1-6
ii libgl1 1.3.2-1
ii libglew2.1 2.1.0-4+b1
ii libglib2.0-0 2.66.8-1
ii libglu1-mesa [libglu1] 9.0.1-1
ii libgmp10 2:6.2.1+dfsg-1
ii libharfbuzz0b 2.7.4-1
ii libhidapi-libusb0 0.10.1+dfsg-1
ii libmpfr6 4.1.0-3
ii libopencsg1 1.4.2-3
ii libqscintilla2-qt5-15 2.11.6+dfsg-2
ii libqt5core5a 5.15.2+dfsg-9
ii libqt5dbus5 5.15.2+dfsg-9
ii libqt5gamepad5 5.15.2-2
ii libqt5gui5 5.15.2+dfsg-9
ii libqt5multimedia5 5.15.2-3
ii libqt5network5 5.15.2+dfsg-9
ii libqt5widgets5 5.15.2+dfsg-9
ii libspnav0 0.2.3-1+b2
ii libstdc++6 10.2.1-6
ii libx11-6 2:1.7.2-1
ii libxml2 2.9.10+dfsg-6.7
ii libzip4 1.7.3-1
Versions of packages openscad recommends:
ii openscad-mcad 2019.05-1
Versions of packages openscad suggests:
pn geomview <none>
pn librecad <none>
ii meshlab 2020.09+dfsg1-1
ii openscad-testing 2021.01-2
-- no debconf information
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Oct 2021 12:24:02 GMT) (full text, mbox, link).
Marked as fixed in versions openscad/2021.01-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Oct 2021 12:24:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Oct 2021 12:33:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 15 14:02:51 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon