Package: openscad Version: 2019.01~RC2-2 Severity: important There is a bug in the import() function in OpenSCAD when importing STL files. Certain invalid files can cause out-of-bounds accesses, potentially causing arbitrary code execution.
The bug is associated with these CVEs: https://security-tracker.debian.org/tracker/CVE-2020-28599 https://security-tracker.debian.org/tracker/CVE-2020-28600 As seen in these links, the bug affects the openscad version in buster (and stretch), but is fixed in newer upstream releases (meaning bullseye, testing, and unstable are unaffected). The upstream fix is in this git commit 07ea60f82e94a155f4926f17fad8e8366bc74874: https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874 This commit contains the fix to the C++ source code. It also adds tests to the testsuite which test for this bug. This is considered a minor security issue. The plan is to get it fixed in buster through a point release. - Kristian. -- Package-specific info: Output of /usr/share/bug/openscad: $ glxinfo |grep 'OpenGL .* string:' OpenGL vendor string: Intel OpenGL renderer string: Mesa Intel(R) UHD Graphics 620 (KBL GT2) OpenGL core profile version string: 4.6 (Core Profile) Mesa 20.3.5 OpenGL core profile shading language version string: 4.60 OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.5 OpenGL shading language version string: 4.60 OpenGL ES profile version string: OpenGL ES 3.2 Mesa 20.3.5 OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20 -- System Information: Debian Release: 11.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openscad depends on: ii lib3mf1 1.8.1+ds-4 ii libboost-filesystem1.74.0 1.74.0-9 ii libboost-program-options1.74.0 1.74.0-9 ii libboost-regex1.74.0 [libboost-regex1.74.0-icu67] 1.74.0-9 ii libc6 2.31-13 ii libcairo2 1.16.0-5 ii libdouble-conversion3 3.1.5-6.1 ii libfontconfig1 2.13.1-4.2 ii libfreetype6 2.10.4+dfsg-1 ii libgcc-s1 10.2.1-6 ii libgl1 1.3.2-1 ii libglew2.1 2.1.0-4+b1 ii libglib2.0-0 2.66.8-1 ii libglu1-mesa [libglu1] 9.0.1-1 ii libgmp10 2:6.2.1+dfsg-1 ii libharfbuzz0b 2.7.4-1 ii libhidapi-libusb0 0.10.1+dfsg-1 ii libmpfr6 4.1.0-3 ii libopencsg1 1.4.2-3 ii libqscintilla2-qt5-15 2.11.6+dfsg-2 ii libqt5core5a 5.15.2+dfsg-9 ii libqt5dbus5 5.15.2+dfsg-9 ii libqt5gamepad5 5.15.2-2 ii libqt5gui5 5.15.2+dfsg-9 ii libqt5multimedia5 5.15.2-3 ii libqt5network5 5.15.2+dfsg-9 ii libqt5widgets5 5.15.2+dfsg-9 ii libspnav0 0.2.3-1+b2 ii libstdc++6 10.2.1-6 ii libx11-6 2:1.7.2-1 ii libxml2 2.9.10+dfsg-6.7 ii libzip4 1.7.3-1 Versions of packages openscad recommends: ii openscad-mcad 2019.05-1 Versions of packages openscad suggests: pn geomview <none> pn librecad <none> ii meshlab 2020.09+dfsg1-1 ii openscad-testing 2021.01-2 -- no debconf information
