Bug 29720

Summary: libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: libdxfrw-1.0.1-1.mga8.src.rpm CVE: CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343
Status comment:
Bug Depends on:    
Bug Blocks: 29996    

Description David Walser 2021-12-01 23:57:59 CET 
Fedora has issued an advisory today (December 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RDI3HCTCACMIC7I4ILB3NRU6DCMADI5H/

The issues were fixed recently in upstream git.

Mageia 8 is also affected.

Fedora also rebuilt librecad against the updated library, but since we already switched to the 1.0.1 fork, we probably don't need to.
David Walser 2021-12-01 23:58:20 CET

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-12-03 22:05:40 CET 
Debian-LTS has issued an advisory for this today (December 3):
https://www.debian.org/lts/security/2021/dla-2838
Comment 2 Lewis Smith 2021-12-05 19:25:09 CET 
This SRPM is officially down to Jani, who has done recent work on it; so assigning to you.

Assignee: bugsquad => jani.valimaa

Comment 3 David Walser 2022-02-13 18:54:21 CET 
Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUMH3CWGVSMR2UIZEA35Q5UB7PDVVVYS/

They added one more security fix from upstream.

Mageia 8 is also affected.

There are also some needed security fixes in librecad (Bug 29996).

Summary: libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, and CVE-2021-21900 => libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343
Blocks: (none) => 29996

Comment 4 David Walser 2022-03-03 22:20:03 CET 
openSUSE has issued an advisory for the first three CVEs today (March 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6TWLTKRSHNPCLQL7UXQSITHNYJT5XSK5/
Comment 5 Nicolas Salguero 2022-04-21 11:50:33 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21898)

A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21899)

A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dxf file can lead to a use-after-free vulnerability. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21900)

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document. (CVE-2021-45343)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45343
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RDI3HCTCACMIC7I4ILB3NRU6DCMADI5H/
https://www.debian.org/lts/security/2021/dla-2838
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUMH3CWGVSMR2UIZEA35Q5UB7PDVVVYS/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6TWLTKRSHNPCLQL7UXQSITHNYJT5XSK5/
========================

Updated packages in core/updates_testing:
========================
dwg2dxf-1.0.1-1.1.mga8
lib(64)dxfrw1-1.0.1-1.1.mga8
lib(64)dxfrw-devel-1.0.1-1.1.mga8

from SRPM:
libdxfrw-1.0.1-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: jani.valimaa => qa-bugs
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343

Comment 6 Thomas Andrews 2022-04-21 20:29:14 CEST 
I have installed this and the update for libreCAD (Bug 29996), with no installation issues. 

I have next to no experience with libreCAD, but as far as basic function of some of the various tools is concerned, it appears to be OK. It would be better if someone with more experience could give them a look.

CC: (none) => andrewsfarm

Comment 7 Dave Hodgins 2022-04-24 03:32:26 CEST 
Oking and validating as per bug 29996#c26

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-24 03:41:27 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-04-24 12:44:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0151.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED