Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package lib3mf [ Reason ] This is a targeted fix, a backport of upstream fix for CVE-2021-21772, which is a use-after-free on user-controlled input: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985092 https://github.com/3MFConsortium/lib3mf/issues/254 [ Impact ] This is a published security bug in upstream lib3mf. [ Tests ] - We obtained a (non-published) .3mf that triggers the bug. I verified (with Valgrind) that opening this 3MF file triggers a use-after-free in lib3mf_1.8.1+ds-3.1 and that it does not in lib3mf_1.8.1+ds-4. - Package `openscad', the main reverse dependency, has a comprehensive testsuite which passes with lib3mf_1.8.1+ds-4. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock lib3mf/1.8.1+ds-4 -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru lib3mf-1.8.1+ds/debian/changelog lib3mf-1.8.1+ds/debian/changelog --- lib3mf-1.8.1+ds/debian/changelog 2020-12-06 02:27:21.000000000 +0100 +++ lib3mf-1.8.1+ds/debian/changelog 2021-04-01 21:25:54.000000000 +0200 @@ -1,3 +1,10 @@ +lib3mf (1.8.1+ds-4) unstable; urgency=medium + + * Fix use-after-free (CVE-2021-21772), backporting fix from v2.1.1 + (Closes: #985092) + + -- Kristian Nielsen <kniel...@knielsen-hq.org> Thu, 01 Apr 2021 21:25:54 +0200 + lib3mf (1.8.1+ds-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru lib3mf-1.8.1+ds/debian/control lib3mf-1.8.1+ds/debian/control --- lib3mf-1.8.1+ds/debian/control 2019-01-20 18:32:34.000000000 +0100 +++ lib3mf-1.8.1+ds/debian/control 2021-04-01 21:25:54.000000000 +0200 @@ -2,6 +2,7 @@ Section: libs Priority: optional Maintainer: Torsten Paul <torsten.p...@gmx.de> +Uploaders: Kristian Nielsen <kniel...@knielsen-hq.org> Build-Depends: debhelper (>=12~), pkg-kde-tools, cmake, libzip-dev, zlib1g-dev, uuid-dev Standards-Version: 4.3.0 Homepage: https://github.com/3MFConsortium/lib3mf diff -Nru lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch --- lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch 1970-01-01 01:00:00.000000000 +0100 +++ lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch 2021-04-01 21:25:54.000000000 +0200 @@ -0,0 +1,76 @@ +From: Kristian Nielsen <kniel...@knielsen-hq.org> +Date: Thu, 1 Apr 2021 21:28:00 +0100 +Subject: Remove unnecessary zip_source_close + +This patch fixes CVE-2021-21772, a use-after-free bug. It is a +backport of the upstream fix in v2.1.1. + +Forwarded: not-needed +--- + Include/Common/OPC/NMR_OpcPackageReader.h | 1 - + Source/Common/OPC/NMR_OpcPackageReader.cpp | 16 ++++++---------- + 2 files changed, 6 insertions(+), 11 deletions(-) + +--- a/Include/Common/OPC/NMR_OpcPackageReader.h ++++ b/Include/Common/OPC/NMR_OpcPackageReader.h +@@ -54,7 +54,6 @@ namespace NMR { + std::vector<nfByte> m_Buffer; + zip_error_t m_ZIPError; + zip_t * m_ZIParchive; +- zip_source_t * m_ZIPsource; + std::map <std::string, nfUint64> m_ZIPEntries; + std::map <std::string, POpcPackagePart> m_Parts; + +diff --git a/Source/Common/OPC/NMR_OpcPackageReader.cpp b/Source/Common/OPC/NMR_OpcPackageReader.cpp +index 16dd2e8c..4f3a604d 100644 +--- a/Source/Common/OPC/NMR_OpcPackageReader.cpp ++++ b/Source/Common/OPC/NMR_OpcPackageReader.cpp +@@ -111,7 +111,7 @@ namespace NMR { + m_ZIPError.sys_err = 0; + m_ZIPError.zip_err = 0; + m_ZIParchive = nullptr; +- m_ZIPsource = nullptr; ++ zip_source_t* pZIPsource = nullptr; + + try { + // determine stream size +@@ -131,20 +131,20 @@ namespace NMR { + #endif + if (bUseCallback) { + // read ZIP from callback: faster and requires less memory +- m_ZIPsource = zip_source_function_create(custom_zip_source_callback, pImportStream.get(), &m_ZIPError); ++ pZIPsource = zip_source_function_create(custom_zip_source_callback, pImportStream.get(), &m_ZIPError); + } + else { + // read ZIP into memory + m_Buffer.resize((size_t)nStreamSize); + pImportStream->readBuffer(&m_Buffer[0], nStreamSize, true); +- m_ZIPsource = zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError); ++ pZIPsource = zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError); + } +- if (m_ZIPsource == nullptr) ++ if (pZIPsource == nullptr) + throw CNMRException(NMR_ERROR_COULDNOTREADZIPFILE); + +- m_ZIParchive = zip_open_from_source(m_ZIPsource, ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError); ++ m_ZIParchive = zip_open_from_source(pZIPsource, ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError); + if (m_ZIParchive == nullptr) { +- m_ZIParchive = zip_open_from_source(m_ZIPsource, ZIP_RDONLY, &m_ZIPError); ++ m_ZIParchive = zip_open_from_source(pZIPsource, ZIP_RDONLY, &m_ZIPError); + if (m_ZIParchive == nullptr) + throw CNMRException(NMR_ERROR_COULDNOTREADZIPFILE); + else +@@ -208,13 +208,9 @@ namespace NMR { + if (m_ZIParchive != nullptr) + zip_close(m_ZIParchive); + +- if (m_ZIPsource != nullptr) +- zip_source_close(m_ZIPsource); +- + zip_error_fini(&m_ZIPError); + m_Buffer.resize(0); + +- m_ZIPsource = nullptr; + m_ZIParchive = nullptr; + } + diff -Nru lib3mf-1.8.1+ds/debian/patches/series lib3mf-1.8.1+ds/debian/patches/series --- lib3mf-1.8.1+ds/debian/patches/series 2020-12-06 02:26:45.000000000 +0100 +++ lib3mf-1.8.1+ds/debian/patches/series 2021-04-01 21:07:16.000000000 +0200 @@ -1 +1,2 @@ link-z.patch +fix_use_after_free.patch
