Bug 29622 - curaengine new security issues CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
Summary: curaengine new security issues CVE-2021-28021, CVE-2021-42715, and CVE-2021-4...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-11-02 23:16 CET by David Walser
Modified: 2021-12-10 23:20 CET (History)
5 users (show)

See Also:
Source RPM: curaengine-4.8.0-1.mga8.src.rpm
CVE: CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
Status comment:


Description David Walser 2021-11-02 23:16:15 CET
Fedora has issued an advisory today (November 2):

Mageia 8 is also affected.
David Walser 2021-11-02 23:16:41 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => geiger.david68210

Comment 1 Lewis Smith 2021-11-04 20:50:01 CET
Hope it is OK to assign this to you, DavidG. You did several 'recent' updates to it.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2021-11-16 12:09:09 CET
Suggested advisory:

The updated package fixes security vulnerabilities:

Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. (CVE-2021-28021)

An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files. (CVE-2021-42715)

An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location. (CVE-2021-42716)


Updated package in core/updates_testing:

from SRPM:

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: geiger.david68210 => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716

Comment 3 Herman Viaene 2021-11-20 11:06:26 CET
MGA8-64 Plasma on Lenovo B50
No installation issues.
The info in MCC reads: "curaengine - Engine for processing 3D models into G-code instructions for 3D printers​"
Sincce this is no previous update, and no wiki, and this 3D is untrodden territory for me, all I can say it apparently does not disturb anything else.
Leaving for others who might have more knowledge and experience on the subject.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-12-10 16:47:46 CET
I know even less about this sort of thing than you, Herman, so I tried installing it in a VirtualBox guest. I didn't have any installation issues, either.

There is a READ.ME in /usr/share/doc/curaengine, but it was of little help. It did suggest the command "CuraEngine help" would give me a list of commands. It did, but beyond that I got nowhere with them. Probably because of my lack of knowledge on the subject.

But, I did run the one command and it didn't crash. The others didn't make it crash, either; they just said the command wasn't recognized and gave me the help screen once more. So, as far as I can tell, it's working as designed. I'm sending it on.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2021-12-10 21:40:49 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-12-10 23:20:19 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.