Hi, I've been looking into updating openscad in buster to fix CVE-2022-0496 and CVE-2022-0497. They're already fixed in bullseye and later. They are input sanitization issues and CVE-2022-0496 needed a little porting of the patch. I verified that the provided PoCs for CVE-2022-0496 do trigger in an asan/ubsan build and no longer trigger after applying the patch. The provided PoC for CVE-2022-0497 did not trigger in an asan/ubsan build, but the fix is quite obvious and the PoC looks quite sensitive to the memory layout, so that's unsurprising. Beyond the build-time test suite, autopkgtests also pass.
Given the buster -> LTS transition, I'm unsure where to upload this to. Adam's mail seems to indicate that it's late for the point release. Full build available at https://subdivi.de/~helmut/openscad_lts/, and .debdiff attached. Did I miss anything obvious on the process side? Helmut
diff --minimal -Nru openscad-2019.01~RC2/debian/changelog openscad-2019.01~RC2/debian/changelog --- openscad-2019.01~RC2/debian/changelog 2021-10-08 14:05:21.000000000 +0200 +++ openscad-2019.01~RC2/debian/changelog 2022-06-22 22:06:51.000000000 +0200 @@ -1,3 +1,10 @@ +openscad (2019.01~RC2-2+deb10u2) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix input validation (CVE-2022-0496 and CVE-2022-0497) (Closes: #1005641) + + -- Helmut Grohne <hel...@subdivi.de> Wed, 22 Jun 2022 22:06:51 +0200 + openscad (2019.01~RC2-2+deb10u1) buster; urgency=medium * Fix buffer overflows in STL parser (CVE-2020-28599 and diff --minimal -Nru openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch --- openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch 1970-01-01 01:00:00.000000000 +0100 +++ openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch 2022-06-22 22:06:51.000000000 +0200 @@ -0,0 +1,70 @@ +commit 770e3234cbfe66edbc0333f796b46d36a74aa652 +Author: ChrisCoxArt <c...@comcast.net> +Date: Sat Jan 15 19:40:09 2022 -0800 + + add safety to line lookups in DXF import, fixes #4037 + + Add safety (test for, and continue past, bad indices). + Report warnings about bad indices + Add variables just to make the array indices easier to read and debug. + +--- openscad-2019.01~RC2.orig/src/dxfdata.cc ++++ openscad-2019.01~RC2/src/dxfdata.cc +@@ -438,6 +438,11 @@ + auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]); + for (size_t ki = 0; ki < lv.size(); ki++) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ PRINTB("WARNING: Bad DXF line index in %1$s.", ++ QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (k == idx || lines[k].disabled) continue; + goto next_open_path_j; + } +@@ -463,13 +468,20 @@ + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ki++) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ PRINTB("WARNING: Bad DXF line index in %1$s.", ++ QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_open_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_open_path; +@@ -498,13 +510,20 @@ + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ki++) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ PRINTB("WARNING: Bad DXF line index in %1$s.", ++ QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_closed_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_closed_path; diff --minimal -Nru openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch --- openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch 1970-01-01 01:00:00.000000000 +0100 +++ openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch 2022-06-22 22:00:39.000000000 +0200 @@ -0,0 +1,19 @@ +commit b81369dffc3f385257a9b1f5c271118a88671d6d +Author: eldstal <laeder.k...@gmail.com> +Date: Sun Jan 9 17:57:42 2022 +0100 + + Add file bounds check to comment parser + +diff --git a/src/comment.cc b/src/comment.cc +index 25aba535b..c0051db56 100644 +--- a/src/comment.cpp ++++ b/src/comment.cpp +@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line) + } + + int end = start + 1; +- while (fulltext[end] != '\n') end++; ++ while (end < fulltext.size() && fulltext[end] != '\n') end++; + + std::string comment = fulltext.substr(start, end - start); + diff --minimal -Nru openscad-2019.01~RC2/debian/patches/series openscad-2019.01~RC2/debian/patches/series --- openscad-2019.01~RC2/debian/patches/series 2021-10-08 14:05:21.000000000 +0200 +++ openscad-2019.01~RC2/debian/patches/series 2022-06-22 22:06:20.000000000 +0200 @@ -8,3 +8,5 @@ Make-sure-mainFilePath-is-absolute-from-the-start-of-pars.patch Use-an-absolute-path-for-OPENSCAD_FONT_PATH-in-testsuite.patch fix_stl_import.patch +CVE-2022-0497.patch +CVE-2022-0496.patch