Fedora has issued an advisory today (November 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOCC: (none) => geiger.david68210
Hope it is OK to assign this to you, DavidG. You did several 'recent' updates to it.
CC: geiger.david68210 => (none)Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated package fixes security vulnerabilities: Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. (CVE-2021-28021) An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files. (CVE-2021-42715) An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location. (CVE-2021-42716) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42715 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42716 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/ ======================== Updated package in core/updates_testing: ======================== curaengine-4.8.0-1.1.mga8 from SRPM: curaengine-4.8.0-1.1.mga8.src.rpm
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)Assignee: geiger.david68210 => qa-bugsCC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDCVE: (none) => CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
MGA8-64 Plasma on Lenovo B50 No installation issues. The info in MCC reads: "curaengine - Engine for processing 3D models into G-code instructions for 3D printers" Sincce this is no previous update, and no wiki, and this 3D is untrodden territory for me, all I can say it apparently does not disturb anything else. Leaving for others who might have more knowledge and experience on the subject.
CC: (none) => herman.viaene
I know even less about this sort of thing than you, Herman, so I tried installing it in a VirtualBox guest. I didn't have any installation issues, either. There is a READ.ME in /usr/share/doc/curaengine, but it was of little help. It did suggest the command "CuraEngine help" would give me a list of commands. It did, but beyond that I got nowhere with them. Probably because of my lack of knowledge on the subject. But, I did run the one command and it didn't crash. The others didn't make it crash, either; they just said the command wasn't recognized and gave me the help screen once more. So, as far as I can tell, it's working as designed. I'm sending it on. Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0549.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED