Fedora has issued an advisory on March 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WDGGB65YBQL662M3MOBNNJJNRNURW4TG/ The issue is fixed upstream in 2.0.1. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.0.1Whiteboard: (none) => MGA8TOO
New version pushed in cauldron.
Status comment: Fixed upstream in 2.0.1 => (none)CC: (none) => mageiaVersion: Cauldron => 8
adding back cauldron as long as it does not build.
Version: 8 => Cauldron
Status comment: (none) => Fixed upstream in 2.0.1
lib3mf-2.1.1-2.mga9 uploaded for Cauldron by Jani. For Mageia 8, there's: lib3mf2-2.1.1-1.mga8 lib3mf-devel-2.1.1-1.mga8 from lib3mf-2.1.1-1.mga8.src.rpm
Status comment: Fixed upstream in 2.0.1 => (none)Version: Cauldron => 8CC: (none) => jani.valimaaAssignee: geiger.david68210 => qa-bugsWhiteboard: MGA8TOO => (none)
we need to have openscad rebuilded now.
Advisory: ======================== Updated lib3mf packages fix a security vulnerability: A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2021-21772). References: - https://bugs.mageia.org/show_bug.cgi?id=29018 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21772 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WDGGB65YBQL662M3MOBNNJJNRNURW4TG/ ======================== Updated packages in core/updates_testing: ======================== lib(64)3mf2-2.1.1-1.mga8 lib(64)3mf-devel-2.1.1-1.mga8 from lib3mf-2.1.1-1.mga8.src.rpm
CC: (none) => ouaurelien
Assignee: qa-bugs => mageiaStatus comment: (none) => openscad needs to be rebuilt against the updated library
A new pkg, act, was also imported to mga8 to be able to build lib3mf.
(In reply to Jani Välimaa from comment #6) > A new pkg, act, was also imported to mga8 to be able to build lib3mf. SRPM/RPM: act-1.6.0-4.mga8
(In reply to Nicolas Lécureuil from comment #4) > we need to have openscad rebuilded now. Pushed a rebuild. SRPMS/RPMS: openscad-2021.01-1.2.mga8
Status comment: openscad needs to be rebuilt against the updated library => (none)Assignee: mageia => qa-bugs
Addendum to Comment 5: A new package 'act' is introduced to build newer version of lib3mf. Also, openscad is rebuilt against this updated library. Updated packages in core/updates_testing: ======================== act-1.6.0-4.mga8 lib(64)3mf2-2.1.1-1.mga8 lib(64)3mf-devel-2.1.1-1.mga8 openscad-2021.01-1.2.mga8 from SRPMs: lib3mf-2.1.1-1.mga8.src.rpm act-1.6.0-4.mga8.src.rpm openscad-2021.01-1.2.mga8.src.rpm
mga8, x64 Installed the pre-testing packages. Note lib643mf1. Found no PoC for the CVE. openscad and freecad are the main users of the library. openscad is script based, freecad more of a framework with a server, gui and cli. openscad tutorial: https://en.wikibooks.org/wiki/OpenSCAD_Tutorial $ FreeCAD starts the freecad gui, which was unresponsive here. $ FreeCADCmd starts the python interpreter. Updated the packages and installed act. FreeCAD was again unresponsive after displaying the logo, just an empty frame. At a guess it needs a configuration file so that is a no-go. FreeCADCmd launches the interactive python session OK. None of this tests the library so it is tutorial time. OpenSCAD launches from the Graphics menu with links to the examples in /usr/share/openscad which display a 3D solid when requested. Closed it and ran it under strace. $ strace -o scad.trace openscad Opened an example, which provided another window with a code column, design area and a customizer and parameters section. Selected new file, which cleared the board. Selected new file. Typed "code(10)" in the editor, pressed preview button in the design area and the render button to use the mouse to rotate the 3D view. Saved the file newcube.scad to the user's home directory and exited. That caused a segfault - did not go very far into the tutorial. $ grep 3mf scad.trace | grep -v qa openat(AT_FDCWD, "/lib64/lib3mf.so.2", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/lib3mf.so.2.1.1.0", O_RDONLY) = 25 openat(AT_FDCWD, "/usr/lib64/lib3mf.so.2.1.1.0", O_RDONLY) = 32 That is encouraging. Passing this for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5, with an addition in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCVE: (none) => CVE-2021-21772
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0368.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED