Bug 28537

Summary: openscad new security issue CVE-2020-28599
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: openscad-2019.05-10.mga8.src.rpm CVE: CVE-2020-28599
Status comment:

Description David Walser 2021-03-06 00:13:55 CET 
Fedora has issued an advisory today (March 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRHYUWXQ7QQIC6TXDYYLYFFF7B7L3EBD/

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-03-06 00:14:12 CET

Status comment: (none) => Patch available from Fedora
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Aurelien Oudelet 2021-03-06 11:55:06 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => rverschelde
CC: (none) => ouaurelien
Keywords: (none) => PATCH
CVE: (none) => CVE-2020-28599

Morgan Leijström 2021-03-06 12:59:35 CET

CC: (none) => fri

Nicolas Lécureuil 2021-03-06 19:22:45 CET

Status comment: Patch available from Fedora => Patch available upstream
CC: (none) => mageia

Comment 2 Nicolas Lécureuil 2021-03-09 20:41:52 CET 
fixed in cauldron:

Fixed in mga7/8:

src:
    - Mageia 7:
        - openscad-2019.05-1.1.mga7
    - Mageia 8:
        - openscad-2021.01-1.mga8

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Assignee: rverschelde => qa-bugs
Status comment: Patch available upstream => (none)

Comment 3 David Walser 2021-03-10 00:28:39 CET 
Advisory:
========================

Updated openscad package fixes security vulnerability:

A stack-based buffer overflow vulnerability exists in the
import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A
specially crafted STL file can lead to code execution. An attacker can provide
a malicious file to trigger this vulnerability (CVE-2020-28599).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28599
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRHYUWXQ7QQIC6TXDYYLYFFF7B7L3EBD/

Keywords: PATCH => (none)

Comment 4 Len Lawrence 2021-03-12 22:17:56 CET 
mga7, x64

Tried this without a package list, installing openscad from Core Release first.
(medium "Core Release (Official7.1-1)")
  lib64cgal13                    4.14         1.mga7        x86_64  
  lib64opencsg1                  1.4.2        4.mga7        x86_64  
  lib64polyclipping22            6.4.2        2.mga7        x86_64  
(medium "Core Updates (Official7.1-3)")
  lib64qt5gamepad5               5.12.6       1.mga7        x86_64  
  openscad                       2019.05      1.mga7        x86_64  
  qtgamepad5                     5.12.6       1.mga7        x86_64  

Found openscad in the Graphics menu and launched the gui.
Looked around in /usr/share/openscad/examples for files to load.  Picked a scad file at random and a scene appeared in the drawing area.

Updating openscad from testing installed only openscad.
$ rpm -q openscad
openscad-2019.05-1.1.mga7

Launched the gui again and played with the various options.
Loaded previous example, which the application had remembered.  Pressed F6 to render the CAD drawing as a 3D object and tried printing from the design menu.  Nogo because it needs a 3D printer for that and presented a selection of two 3D print services.  Loaded another design from /usr/share then tried the internal examples like LetterBlock.

There is a valid link to the homepage in Help.

Cannot take this any further than this but at the introductory level it appears to function.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2021-03-23 16:04:38 CET 
MGA8, x64 Plasma.

Installed openscad and dependencies:

The following 12 packages are going to be installed:

- lib643mf1-1.8.1-2.mga8.x86_64
- lib64boost_program_options1.75.0-1.75.0-1.mga8.x86_64
- lib64boost_regex1.75.0-1.75.0-1.mga8.x86_64
- lib64cgal13-4.14.3-5.mga8.x86_64
- lib64glew2.2-2.2.0-2.mga8.x86_64
- lib64opencsg1-1.4.2-6.mga8.x86_64
- lib64polyclipping22-6.4.2-3.mga8.x86_64
- lib64qscintilla2_qt5_15-2.11.6-1.mga8.x86_64
- lib64qt5gamepad5-5.15.2-1.mga8.x86_64
- openscad-2019.05-10.mga8.x86_64
- qscintilla2-qt5-common-2.11.6-1.mga8.x86_64
- qtgamepad5-5.15.2-1.mga8.x86_64

No installation issues. Followed Len's lead for testing, loaded an example, was able to export it to a png image.

http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28537/application/0 shows only Mageia 7 rpms for this bug, with openscad being the only one. Extrapolating from that, I used "openscad*" in qarepo to download the update. No installation issues.

Launched it from the menu once again, and tried the help button. That opened up a web page with a user manual and tutorials that looks nice and probably well-written. Choosing to ignore it, I opened the original example, played with rotating the view angle, exported it to a png image. An attempt to export to pdf failed because it was a 3d image. Tried another example, with the same results.

I could probably take this further if I chose to follow the tutorials and read the manual, but I don't believe that's necessary to send this one on.

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-03-25 14:55:12 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-03-27 15:28:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0157.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED