Bug 30294

Summary: openscad new security issues CVE-2022-0496 and CVE-2022-0497
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, fri, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: openscad-2021.01-1.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-04-15 20:39:55 CEST 
Fedora has issued an advisory on April 14:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQEY4FM5EEVUSDD4ZW7732TQHEELJJMM/

Mageia 8 is also affected.
David Walser 2022-04-15 20:40:11 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Fedora

Comment 1 Lewis Smith 2022-04-15 21:29:28 CEST 
Various packagers have dealt with this SRPM, so assigning the update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-04-19 10:19:03 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Out-of-bounds memory access in DXF loader. (CVE-2022-0496)

Out-of-bounds memory access in comment parser. (CVE-2022-0497)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0497
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQEY4FM5EEVUSDD4ZW7732TQHEELJJMM/
========================

Updated packages in core/updates_testing:
========================
openscad-2021.01-1.3.mga8

from SRPM:
openscad-2021.01-1.3.mga8.src.rpm

CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: openscad-2021.01-7.mga9.src.rpm => openscad-2021.01-1.2.mga8.src.rpm
Status: NEW => ASSIGNED
Version: Cauldron => 8
Status comment: Patches available from Fedora => (none)

Comment 3 Morgan Leijström 2022-04-19 11:37:02 CEST 
mga8-64 OK Quick test :

1) launching openscad from konsole, 
2) open animation.scad
3) checkmark "Animate" in menu "View"
4) in field "FPS" enter "10", in "Steps" enter "100"
5) watch the animation, play with parameters in right pane

6) opened CSG.scad, rendered, and then exported STL.
7) Menu Window > Editor, edited some, Preview -> OK

Whiteboard: (none) => MGA8-64-OK
CC: (none) => fri, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-20 03:28:32 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-04-22 19:08:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0148.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED