Debian has issued an advisory on May 4: https://www.debian.org/lts/security/2021/dla-2649 Mageia 7 and 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOSource RPM: (none) => cgal-4.14.3-5.mga8.src.rpm
Hi, thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienCVE: (none) => CVE-2020-28601, CVE-2020-28636, CVE-2020-35628 and CVE-2020-35636Assignee: bugsquad => rverschelde
(In reply to Nicolas Salguero from comment #0) > Debian has issued an advisory on May 4: > https://www.debian.org/lts/security/2021/dla-2649 > > Mageia 7 and 8 are also affected. Debian-LTS you meant.
Severity: normal => critical
Fedora has issued an advisory for this on March 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4J344OKKDLPRN422OYRR46HDEN6MM6P/ The issues are fixed upstream in 5.2.1.
Status comment: (none) => Fixed upstream in 5.2.1
Fixed in Cauldron with cgal-5.2.1-1.mga9. Pushing the same as update to Mageia 8, which implies rebuilding the two packages which use it openscad and openfoam, since it's now a header-only library (with the previous versions, openscad and openfoam didn't appear to have a dependencies on the shared libraries either though, so I'm not sure if the deps are actually unused or only the headers were used). For Mageia 7 this will likely be a wontfix, EOL is imminent and I'm not particularly interested in trying to ensure that outdated openscad and openfoam versions can rebuild nicely against cutting-edge CGAL.
CC: (none) => rverscheldeStatus: NEW => ASSIGNEDAssignee: rverschelde => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Advisory: ========= Updated cgal packages fix security vulnerabilities The CGAL library is updated to version 5.2.1, fixing various security vulnerabilities along the way. The openscad and openfoam packages which use the CGAL library are also rebuilt against this new version. References: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4J344OKKDLPRN422OYRR46HDEN6MM6P/ SRPMs in core/updates_testing: ============================== cgal-5.2.1-1.mga8 openfoam-7-18.1.mga8 openscad-2021.01-3.1.mga8 RPMs in core/updates_testing: ============================= lib64cgal-devel-5.2.1-1.mga8 lib64cgal-qt-devel-5.2.1-1.mga8 openfoam-7-18.1.mga8 openfoam-tutorials-7-18.1.mga8 openscad-2021.01-3.1.mga8
(In reply to Rémi Verschelde from comment #4) > > For Mageia 7 this will likely be a wontfix, EOL is imminent and I'm not > particularly interested in trying to ensure that outdated openscad and > openfoam versions can rebuild nicely against cutting-edge CGAL. If this is a "wontfix" for Mageia 7, shouldn't "MGA7TOO" also be removed from the Whiteboard?
CC: (none) => andrewsfarm
(In reply to Thomas Andrews from comment #6) > > If this is a "wontfix" for Mageia 7, shouldn't "MGA7TOO" also be removed > from the Whiteboard? Yes, but I'm not sure David agrees with my decision, so I'm not sure what should be done. Possibly duplicate this bug to target Mageia 7 only, and see if anyone wants to package that fix for Mageia 7 too there.
Debian has a similar version to ours in Mageia 7, so it may be easy enough to use their patch. Otherwise, this package isn't impactful enough to make a big deal about.
Qarepo found the lib64cgal packages, but could not find the openfoam and openscad packages listed in Comment 5. Using wildcards for the search this is what it DID find: openfoam-7-17.1.mga8.x86_64.rpm openfoam-tutorials-7-17.1.mga8.x86_64.rpm openscad-2021.01-1.1.mga8.x86_64.rpm I updated to those packages with no installation issues. The cgal and openfoam packages are developer stuff, very much over my head. I did run openscad and displayed some of the examples, with no issues noted. That seems OK. I don't know where to go from here. If the packages I tested are the right ones, then I can OK it based on what I've done, but if they aren't the right ones, well...
Yes Thomas, those are correct. Comment 5 typoed all of the release tags.
Status comment: Fixed upstream in 5.2.1 => (none)
Advisory (Mageia 7): ======================== Updated cgal packages fix security vulnerabilities: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28601). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28636). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-35628). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability (CVE-2020-35636). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35636 https://www.debian.org/lts/security/2021/dla-2649 Advisory (Mageia 8): ======================== Updated cgal packages fix security vulnerabilities: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28601). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28636). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-35628). An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability (CVE-2020-35636). The cgal package has been updated to version 5.2.1, fixing the issues and other bugs. The openfoam and openscad packages have been rebuilt against the updated cgal library. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35636 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4J344OKKDLPRN422OYRR46HDEN6MM6P/
SRPMS: cgal-4.14-1.1.mga7.src.rpm cgal-5.2.1-1.mga8.src.rpm openfoam-7-17.1.mga8.src.rpm openscad-2021.01-1.1.mga8.src.rpm RPMS: libcgal13-4.14-1.1.mga7 libcgal-devel-4.14-1.1.mga7 libcgal-core13-4.14-1.1.mga7 libcgal-imageio14-4.14-1.1.mga7 cgal-demos-source-4.14-1.1.mga7 libcgal-devel-5.2.1-1.mga8 libcgal-qt-devel-5.2.1-1.mga8 openfoam-7-17.1.mga8 openfoam-tutorials-7-17.1.mga8 openscad-2021.01-1.1.mga8
64-bit MGA7 Plasma, in VirtualBox. Installed all pre-update cgal packages and dependencies(many of them development-related), and openscad. ran openscad, tried a few things, all of which worked. Used qarepo to get the updates. No installation issues. Ran openscad again, and everything I tried still works. Looks OK for mga7. It seems odd that the only cgal updates for Mga8 are development libraries, but whatever. Giving this an OK for both. Validating. Advisories in Comment 11.
CC: (none) => sysadmin-bugsWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0238.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0239.html
The Mageia 8 update actually fixed CVE-2020-2860[1-9], CVE-2020-2861[0-9], CVE-2020-2862[0-9], CVE-2020-2863[0-6], CVE-2020-3562[89], CVE-2020-3563[0-6]: https://www.debian.org/lts/security/2022/dla-3226 If anyone is watching this, this package could really use an update in Cauldron.