Your message dated Wed, 3 Aug 2022 17:41:05 +0200
with message-id <[email protected]>
and subject line Re: librecad: CVE-2021-21897 - heap-based buffer overflow
loading a DXF file via embedded dxflib
has caused the Debian Bug report #1010349,
regarding librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF
file via embedded dxflib
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1010349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010349
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: librecad
Version: 2.1.3-3
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerability was published for librecad.
CVE-2021-21897[0]:
| A code execution vulnerability exists in the
| DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib
| 3.17.0. A specially-crafted .dxf file can lead to a heap buffer
| overflow. An attacker can provide a malicious file to trigger this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21897
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Hi,
On Sat, 28 May 2022 18:36:29 +0200 Sylvain Beucler <[email protected]> wrote:
It appears librecad is not affected (all dists):
- the package uses system dxflib, cf. debian/patches/debian_build.patch
- while there appears to be similar vulnerable code in
libraries/jwwlib/src/dl_jww-copy.cpp (grep for 'groupCode==42'), this
particular file is not used in the build process AFAICT
Can you confirm and update the security tracker accordingly?
I marked CVE-2021-21897 as <not-affected> in the security tracker and
I'm closing this bug.
Feel free to revert if needed.
Cheers!
Sylvain Beucler
Debian LTS Team
--- End Message ---
