Debian Bug report logs -
#1005641
openscad: Out-of-bounds memory access (CVE-2022-0496 and CVE-2022-0497)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#1005641
; Package src:openscad
.
(Sun, 13 Feb 2022 09:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Kristian Nielsen <knielsen@knielsen-hq.org>
:
New Bug report received and forwarded.
(Sun, 13 Feb 2022 09:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openscad
Severity: important
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upstream has reported two out-of-bounds memory access bugs, which have been
assigned CVEs:
https://github.com/openscad/openscad-security-advisory/issues/3
CVE-2022-0497
https://github.com/openscad/openscad-security-advisory/issues/4
CVE-2022-0496
The impact of the bugs looks not very severe at first glance (read access
outside og memory array). But since there are associated CVEs it seems
useful to track for Debian.
Patches, including backported versions, are available from upstream.
-- Package-specific info:
Output of /usr/share/bug/openscad:
$ glxinfo |grep 'OpenGL .* string:'
OpenGL vendor string: Intel
OpenGL renderer string: Mesa Intel(R) UHD Graphics 620 (KBL GT2)
OpenGL core profile version string: 4.6 (Core Profile) Mesa 20.3.5
OpenGL core profile shading language version string: 4.60
OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.5
OpenGL shading language version string: 4.60
OpenGL ES profile version string: OpenGL ES 3.2 Mesa 20.3.5
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20
-- System Information:
Debian Release: 11.2
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-- debconf-show failed
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#1005641
; Package src:openscad
.
(Sun, 13 Feb 2022 10:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kristian Nielsen <knielsen@knielsen-hq.org>
:
Extra info received and forwarded to list.
(Sun, 13 Feb 2022 10:21:03 GMT) (full text, mbox, link).
Message #10 received at 1005641@bugs.debian.org (full text, mbox, reply):
Public upstream bug reports:
https://github.com/openscad/openscad/issues/4037
https://github.com/openscad/openscad/issues/4043
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 13 Feb 2022 11:03:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Feb 13 12:09:50 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.