Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openscad for openSUSE:Factory checked in at 2022-02-07 23:38:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openscad (Old) and /work/SRC/openSUSE:Factory/.openscad.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openscad" Mon Feb 7 23:38:03 2022 rev:11 rq:952030 version:2021.01 Changes: -------- --- /work/SRC/openSUSE:Factory/openscad/openscad.changes 2021-08-27 21:45:04.610052648 +0200 +++ /work/SRC/openSUSE:Factory/.openscad.new.1898/openscad.changes 2022-02-07 23:39:08.954009751 +0100 @@ -1,0 +2,8 @@ +Sun Feb 6 19:02:05 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaub...@suse.com> + +- Add patch to fix out-of-bounds memory access in DXF loader + + CVE-2022-0496.patch (boo#1195568, CVE-2022-0496) +- Add patch to fix out-of-bounds memory access in comment parser + + CVE-2022-0497.patch (boo#1195567, CVE-2022-0497) + +------------------------------------------------------------------- New: ---- CVE-2022-0496.patch CVE-2022-0497.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openscad.spec ++++++ --- /var/tmp/diff_new_pack.HCeQ1N/_old 2022-02-07 23:39:09.610005261 +0100 +++ /var/tmp/diff_new_pack.HCeQ1N/_new 2022-02-07 23:39:09.614005234 +0100 @@ -1,7 +1,7 @@ # # spec file for package openscad # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,8 @@ URL: https://www.openscad.org/ Source: https://files.openscad.org/%{name}-%{version}.src.tar.gz Patch1: fix_build_with_cgal-5.3.patch +Patch2: CVE-2022-0496.patch +Patch3: CVE-2022-0497.patch BuildRequires: bison BuildRequires: double-conversion-devel BuildRequires: eigen3-devel @@ -65,6 +67,8 @@ %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %qmake5 PREFIX=%{_prefix} CONFIG+=qopenglwidget CONFIG+=c++14 ++++++ CVE-2022-0496.patch ++++++ >From 00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001 From: Torsten Paul <torsten.p...@gmx.de> Date: Sat, 5 Feb 2022 18:38:31 +0100 Subject: [PATCH] CVE-2022-0496 Out-of-bounds memory access in DXF loader. Public issue: https://github.com/openscad/openscad/issues/4037 Fix in master branch: https://github.com/openscad/openscad/pull/4090 --- src/dxfdata.cc | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/src/dxfdata.cc b/src/dxfdata.cc index 2bb7236746..aa6b6f3976 100644 --- a/src/dxfdata.cc +++ b/src/dxfdata.cc @@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (k == idx || lines[k].disabled) continue; goto next_open_path_j; } @@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(ref_point[0], ref_point[1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (lines[k].disabled) continue; - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { + auto idk0 = lines[k].idx[0]; // make it easier to read and debug + auto idk1 = lines[k].idx[1]; + if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { current_line = k; current_point = 0; goto found_next_line_in_open_path; } - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { + if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { current_line = k; current_point = 1; goto found_next_line_in_open_path; @@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa, auto lv = grid.data(ref_point[0], ref_point[1]); for (size_t ki = 0; ki < lv.size(); ++ki) { int k = lv.at(ki); + if (k < 0 || k >= lines.size()) { + LOG(message_group::Warning,Location::NONE,"", + "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); + continue; + } if (lines[k].disabled) continue; - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { + auto idk0 = lines[k].idx[0]; // make it easier to read and debug + auto idk1 = lines[k].idx[1]; + if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { current_line = k; current_point = 0; goto found_next_line_in_closed_path; } - if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { + if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { current_line = k; current_point = 1; goto found_next_line_in_closed_path; ++++++ CVE-2022-0497.patch ++++++ >From 84addf3c1efbd51d8ff424b7da276400bbfa1a4b Mon Sep 17 00:00:00 2001 From: Torsten Paul <torsten.p...@gmx.de> Date: Sat, 5 Feb 2022 18:45:29 +0100 Subject: [PATCH] CVE-2022-0497 Out-of-bounds memory access in comment parser. Public issue: https://github.com/openscad/openscad/issues/4043 Fix in master branch: https://github.com/openscad/openscad/pull/4044 --- src/comment.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/comment.cpp b/src/comment.cpp index f02ad2c5f6..1ce3ab547b 100644 --- a/src/comment.cpp +++ b/src/comment.cpp @@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line) } int end = start + 1; - while (fulltext[end] != '\n') end++; + while (end < fulltext.size() && fulltext[end] != '\n') end++; std::string comment = fulltext.substr(start, end - start);
