Bug#1010349: librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF file via embedded dxflib
Am Sat, May 28, 2022 at 06:36:29PM +0200 schrieb Sylvain Beucler: > Hello Neil, > > I'm triaging this vulnerability for Debian LTS / stretch. > > It appears librecad is not affected (all dists): > > - the package uses system dxflib, cf. debian/patches/debian_build.patch But is that functional/working as expected? librecad does not have and dependency on libdxflib3? Cheers, Moritz
Bug#1010349: librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF file via embedded dxflib
Hello Neil, I'm triaging this vulnerability for Debian LTS / stretch. It appears librecad is not affected (all dists): - the package uses system dxflib, cf. debian/patches/debian_build.patch - while there appears to be similar vulnerable code in libraries/jwwlib/src/dl_jww-copy.cpp (grep for 'groupCode==42'), this particular file is not used in the build process AFAICT Can you confirm and update the security tracker accordingly? Cheers! Sylvain Beucler Debian LTS Team On Fri, 29 Apr 2022 11:09:43 +0100 Neil Williams wrote: Source: librecad Version: 2.1.3-3 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team Hi, The following vulnerability was published for librecad. CVE-2021-21897[0]: | A code execution vulnerability exists in the | DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib | 3.17.0. A specially-crafted .dxf file can lead to a heap buffer | overflow. An attacker can provide a malicious file to trigger this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21897 Please adjust the affected versions in the BTS as needed.
Bug#1010349: librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF file via embedded dxflib
Source: librecad Version: 2.1.3-3 Severity: important Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team Hi, The following vulnerability was published for librecad. CVE-2021-21897[0]: | A code execution vulnerability exists in the | DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib | 3.17.0. A specially-crafted .dxf file can lead to a heap buffer | overflow. An attacker can provide a malicious file to trigger this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21897 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled