Control: tags -1 pending patch
On Sun, 5 May 2019 16:55:54 +0200 Markus Koschany wrote:
> Package: librecad
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for librecad.
>
> CVE-2018-19105[0]:
> | LibreCAD 2.1.3 allows remote attackers to cause a denial of service
> | (0x89C04589 write access violation and application crash) or possibly
> | have unspecified other impact via a crafted file.
Dear maintainer,
I have uploaded a new revision of librecad to fix CVE-2018-19105. I
intend to file an unblock request as well.
Regards,
Markus
diff -Nru librecad-2.1.3/debian/changelog librecad-2.1.3/debian/changelog
--- librecad-2.1.3/debian/changelog 2018-09-17 19:23:30.0 +0200
+++ librecad-2.1.3/debian/changelog 2019-05-16 13:11:05.0 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.3-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-19105:
+A vulnerability was found in LibreCAD, a computer-aided design system,
+which could be exploited to crash the application or cause other
+unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany Thu, 16 May 2019 13:11:05 +0200
+
librecad (2.1.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru librecad-2.1.3/debian/patches/CVE-2018-19105.patch
librecad-2.1.3/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.3/debian/patches/CVE-2018-19105.patch 1970-01-01
01:00:00.0 +0100
+++ librecad-2.1.3/debian/patches/CVE-2018-19105.patch 2019-05-16
13:11:05.0 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin:
https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin:
https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp | 8
+ libraries/libdxfrw/src/libdxfrw.cpp | 29 +++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp
b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+ linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+ blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+ version = DRW::AC1021;
++curr = NULL;
+ }
+
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++if (NULL == curr && 9 != code) {
++DRW_DBG("invalid header code: ");
++DRW_DBG(code);
++DRW_DBG("\n");
++return;
++}
++
+ switch (code) {
+ case 9:
+ curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp
b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+ DRW_DBG(sectionstr); DRW_DBG(" processDxf\n");
+ //found section, process it
+ if (sectionstr == "HEADER") {
+-processHeader();
++if (!processHeader()) {
++return false;
++}
+ } else if (sectionstr == "CLASSES") {
+ //processClasses();
+ } else if (sectionstr == "TABLES") {
+-processTables();
++if (!processTables()) {
++return false;
++}
+ } else if (sectionstr == "BLOCKS") {
+-processBlocks();
++if (!processBlocks()) {
++return false;
++}
+ } else if (sectionstr == "ENTITIES") {
+-processEntities(false);
++if (!processEntities(false)) {
++return false;
++}
+ } else if (sectionstr == "OBJECTS") {
+-processObjects();
++if (!processObjects()) {
++return false;
++}
+ }
+ }
+ }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processHeader() {
+ iface->addHeader(&header);
+ return true; //found ENDSEC terminate
+ }
+-} else head
