rpms
/
openscad
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fixes for CVE-2022-0496 and CVE-2022-0497

This commit is contained in:
Lumir Balhar 2022-04-05 12:22:17 +02:00 committed by Miro Hrončok
parent 1fd845a5cc
commit 93f9ef1a94
3 changed files with 110 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
CVE-2022-0496.patch Normal file
View File

@ -0,0 +1,74 @@
From 770e3234cbfe66edbc0333f796b46d36a74aa652 Mon Sep 17 00:00:00 2001
From: ChrisCoxArt <ccox@comcast.net>
Date: Sat, 15 Jan 2022 19:40:09 -0800
Subject: [PATCH] add safety to line lookups in DXF import, fixes #4037
Add safety (test for, and continue past, bad indices).
Report warnings about bad indices
Add variables just to make the array indices easier to read and debug.
---
src/dxfdata.cc | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/src/dxfdata.cc b/src/dxfdata.cc
index 2bb7236746..aa6b6f3976 100644
--- a/src/dxfdata.cc
+++ b/src/dxfdata.cc
@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (k == idx || lines[k].disabled) continue;
goto next_open_path_j;
}
@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (lines[k].disabled) continue;
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+ auto idk0 = lines[k].idx[0]; // make it easier to read and debug
+ auto idk1 = lines[k].idx[1];
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_open_path;
}
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_open_path;
@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa,
auto lv = grid.data(ref_point[0], ref_point[1]);
for (size_t ki = 0; ki < lv.size(); ++ki) {
int k = lv.at(ki);
+ if (k < 0 || k >= lines.size()) {
+ LOG(message_group::Warning,Location::NONE,"",
+ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+ continue;
+ }
if (lines[k].disabled) continue;
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+ auto idk0 = lines[k].idx[0]; // make it easier to read and debug
+ auto idk1 = lines[k].idx[1];
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
current_line = k;
current_point = 0;
goto found_next_line_in_closed_path;
}
- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
current_line = k;
current_point = 1;
goto found_next_line_in_closed_path;

27
CVE-2022-0497.patch Normal file
View File

@ -0,0 +1,27 @@
From 84addf3c1efbd51d8ff424b7da276400bbfa1a4b Mon Sep 17 00:00:00 2001
From: Torsten Paul <Torsten.Paul@gmx.de>
Date: Sat, 5 Feb 2022 18:45:29 +0100
Subject: [PATCH] CVE-2022-0497 Out-of-bounds memory access in comment parser.
Public issue:
https://github.com/openscad/openscad/issues/4043
Fix in master branch:
https://github.com/openscad/openscad/pull/4044
---
src/comment.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/comment.cpp b/src/comment.cpp
index f02ad2c5f6..1ce3ab547b 100644
--- a/src/comment.cpp
+++ b/src/comment.cpp
@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line)
}
int end = start + 1;
- while (fulltext[end] != '\n') end++;
+ while (end < fulltext.size() && fulltext[end] != '\n') end++;
std::string comment = fulltext.substr(start, end - start);

11
openscad.spec
View File

@ -1,7 +1,7 @@
Name: openscad
Version: 2021.01
%global upversion %{version}
Release: 7%{?dist}
Release: 8%{?dist}
Summary: The Programmers Solid 3D CAD Modeller
# COPYING contains a linking exception for CGAL
# Appdata file is CC0
@ -21,7 +21,10 @@ Patch1: %{name}-cgal5.3.patch
Patch2: %{name}-2021.01-fix-overloaded-join.patch
# https://github.com/openscad/openscad/commit/71f2831c0484c3f35cbf44e1d1dc2c857384100b
Patch3: %{name}-2021.01-cgal-build-fix.patch
# https://github.com/openscad/openscad/commit/770e3234cbfe66edbc0333f796b46d36a74aa652
Patch4: CVE-2022-0496.patch
# https://github.com/openscad/openscad/commit/84addf3c1efbd51d8ff424b7da276400bbfa1a4b
Patch5: CVE-2022-0497.patch
BuildRequires: CGAL-devel >= 3.6
BuildRequires: ImageMagick
@ -224,6 +227,10 @@ cd -
%{_datadir}/%{name}/libraries/MCAD/bitmap/*.scad
%changelog
* Tue Apr 05 2022 Lumír Balhar <lbalhar@redhat.com> - 2021.01-8
- Security fixes for CVE-2022-0496 and CVE-2022-0497
- Fixes: rhbz#2050696 rhbz#2050700
* Fri Feb 11 2022 Tom Callaway <spot@fedoraproject.org> - 2021.01-7
- apply upstream fix for build issue with overloaded join()
- fix build against new CGAL 5.4