Bug#928477: librecad: denial-of-service CVE-2018-19105

Thu, 16 May 2019 04:39:39 -0700 

Control: tags -1 pending patch

On Sun, 5 May 2019 16:55:54 +0200 Markus Koschany <a...@debian.org> wrote:
> Package: librecad
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for librecad.
> 
> CVE-2018-19105[0]:
> | LibreCAD 2.1.3 allows remote attackers to cause a denial of service
> | (0x89C04589 write access violation and application crash) or possibly
> | have unspecified other impact via a crafted file.

Dear maintainer,

I have uploaded a new revision of librecad to fix CVE-2018-19105. I
intend to file an unblock request as well.

Regards,

Markus

diff -Nru librecad-2.1.3/debian/changelog librecad-2.1.3/debian/changelog
--- librecad-2.1.3/debian/changelog     2018-09-17 19:23:30.000000000 +0200
+++ librecad-2.1.3/debian/changelog     2019-05-16 13:11:05.000000000 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.3-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-19105:
+    A vulnerability was found in LibreCAD, a computer-aided design system,
+    which could be exploited to crash the application or cause other
+    unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany <a...@debian.org>  Thu, 16 May 2019 13:11:05 +0200
+
 librecad (2.1.3-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru librecad-2.1.3/debian/patches/CVE-2018-19105.patch 
librecad-2.1.3/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.3/debian/patches/CVE-2018-19105.patch  1970-01-01 
01:00:00.000000000 +0100
+++ librecad-2.1.3/debian/patches/CVE-2018-19105.patch  2019-05-16 
13:11:05.000000000 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin: 
https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp |  8 ++++++++
+ libraries/libdxfrw/src/libdxfrw.cpp   | 29 +++++++++++++++++++++++------
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp 
b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
++++ b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+     linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+     blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+     version = DRW::AC1021;
++    curr = NULL;
+ }
+ 
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+ 
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++    if (NULL == curr && 9 != code) {
++        DRW_DBG("invalid header code: ");
++        DRW_DBG(code);
++        DRW_DBG("\n");
++        return;
++    }
++
+     switch (code) {
+     case 9:
+         curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp 
b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
++++ b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+                     DRW_DBG(sectionstr); DRW_DBG("  processDxf\n");
+                     //found section, process it
+                     if (sectionstr == "HEADER") {
+-                        processHeader();
++                        if (!processHeader()) {
++                            return false;
++                        }
+                     } else if (sectionstr == "CLASSES") {
+ //                        processClasses();
+                     } else if (sectionstr == "TABLES") {
+-                        processTables();
++                        if (!processTables()) {
++                            return false;
++                        }
+                     } else if (sectionstr == "BLOCKS") {
+-                        processBlocks();
++                        if (!processBlocks()) {
++                            return false;
++                        }
+                     } else if (sectionstr == "ENTITIES") {
+-                        processEntities(false);
++                        if (!processEntities(false)) {
++                            return false;
++                        }
+                     } else if (sectionstr == "OBJECTS") {
+-                        processObjects();
++                        if (!processObjects()) {
++                            return false;
++                        }
+                     }
+                 }
+             }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processHeader() {
+                 iface->addHeader(&header);
+                 return true;  //found ENDSEC terminate
+             }
+-        } else header.parseCode(code, reader);
++            else {
++                DRW_DBG("unexpected 0 code in header!\n");
++                return false;
++            }
++        }
++        else {
++            header.parseCode(code, reader);
++        }
+     }
+     return true;
+ }
diff -Nru librecad-2.1.3/debian/patches/series 
librecad-2.1.3/debian/patches/series
--- librecad-2.1.3/debian/patches/series        2018-09-17 19:23:29.000000000 
+0200
+++ librecad-2.1.3/debian/patches/series        2019-05-16 13:11:05.000000000 
+0200
@@ -1,3 +1,4 @@
 debian_build.patch
 librecad-desktop.pach
 0001-fix-build-with-Qt-5.11.patch
+CVE-2018-19105.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to