Fedora has issued an advisory today (March 5): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRHYUWXQ7QQIC6TXDYYLYFFF7B7L3EBD/ Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO, MGA7TOO
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => rverscheldeCC: (none) => ouaurelienKeywords: (none) => PATCHCVE: (none) => CVE-2020-28599
CC: (none) => fri
Status comment: Patch available from Fedora => Patch available upstreamCC: (none) => mageia
fixed in cauldron: Fixed in mga7/8: src: - Mageia 7: - openscad-2019.05-1.1.mga7 - Mageia 8: - openscad-2021.01-1.mga8
Version: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOAssignee: rverschelde => qa-bugsStatus comment: Patch available upstream => (none)
Advisory: ======================== Updated openscad package fixes security vulnerability: A stack-based buffer overflow vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2020-28599). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28599 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KRHYUWXQ7QQIC6TXDYYLYFFF7B7L3EBD/
Keywords: PATCH => (none)
mga7, x64 Tried this without a package list, installing openscad from Core Release first. (medium "Core Release (Official7.1-1)") lib64cgal13 4.14 1.mga7 x86_64 lib64opencsg1 1.4.2 4.mga7 x86_64 lib64polyclipping22 6.4.2 2.mga7 x86_64 (medium "Core Updates (Official7.1-3)") lib64qt5gamepad5 5.12.6 1.mga7 x86_64 openscad 2019.05 1.mga7 x86_64 qtgamepad5 5.12.6 1.mga7 x86_64 Found openscad in the Graphics menu and launched the gui. Looked around in /usr/share/openscad/examples for files to load. Picked a scad file at random and a scene appeared in the drawing area. Updating openscad from testing installed only openscad. $ rpm -q openscad openscad-2019.05-1.1.mga7 Launched the gui again and played with the various options. Loaded previous example, which the application had remembered. Pressed F6 to render the CAD drawing as a 3D object and tried printing from the design menu. Nogo because it needs a 3D printer for that and presented a selection of two 3D print services. Loaded another design from /usr/share then tried the internal examples like LetterBlock. There is a valid link to the homepage in Help. Cannot take this any further than this but at the introductory level it appears to function.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => tarazed25
MGA8, x64 Plasma. Installed openscad and dependencies: The following 12 packages are going to be installed: - lib643mf1-1.8.1-2.mga8.x86_64 - lib64boost_program_options1.75.0-1.75.0-1.mga8.x86_64 - lib64boost_regex1.75.0-1.75.0-1.mga8.x86_64 - lib64cgal13-4.14.3-5.mga8.x86_64 - lib64glew2.2-2.2.0-2.mga8.x86_64 - lib64opencsg1-1.4.2-6.mga8.x86_64 - lib64polyclipping22-6.4.2-3.mga8.x86_64 - lib64qscintilla2_qt5_15-2.11.6-1.mga8.x86_64 - lib64qt5gamepad5-5.15.2-1.mga8.x86_64 - openscad-2019.05-10.mga8.x86_64 - qscintilla2-qt5-common-2.11.6-1.mga8.x86_64 - qtgamepad5-5.15.2-1.mga8.x86_64 No installation issues. Followed Len's lead for testing, loaded an example, was able to export it to a png image. http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28537/application/0 shows only Mageia 7 rpms for this bug, with openscad being the only one. Extrapolating from that, I used "openscad*" in qarepo to download the update. No installation issues. Launched it from the menu once again, and tried the help button. That opened up a web page with a user manual and tutorials that looks nice and probably well-written. Choosing to ignore it, I opened the original example, played with rotating the view angle, exported it to a png image. An attempt to export to pdf failed because it was a 3d image. Tried another example, with the same results. I could probably take this further if I chose to follow the tutorials and read the manual, but I don't believe that's necessary to send this one on. Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0157.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED