Bug 29622 - curaengine new security issues CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
Summary: curaengine new security issues CVE-2021-28021, CVE-2021-42715, and CVE-2021-4...
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-02 23:16 CET by David Walser
Modified: 2021-11-20 11:06 CET (History)
2 users (show)

See Also:
Source RPM: curaengine-4.8.0-1.mga8.src.rpm
CVE: CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
Status comment:


Attachments

Description David Walser 2021-11-02 23:16:15 CET
Fedora has issued an advisory today (November 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/

Mageia 8 is also affected.
David Walser 2021-11-02 23:16:41 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => geiger.david68210

Comment 1 Lewis Smith 2021-11-04 20:50:01 CET
Hope it is OK to assign this to you, DavidG. You did several 'recent' updates to it.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2021-11-16 12:09:09 CET
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Buffer overflow vulnerability in function stbi__extend_receive in stb_image.h in stb 2.26 via a crafted JPEG file. (CVE-2021-28021)

An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR loader parsed truncated end-of-file RLE scanlines as an infinite sequence of zero-length runs. An attacker could potentially have caused denial of service in applications using stb_image by submitting crafted HDR files. (CVE-2021-42715)

An issue was discovered in stb stb_image.h 2.27. The PNM loader incorrectly interpreted 16-bit PGM files as 8-bit when converting to RGBA, leading to a buffer overflow when later reinterpreting the result as a 16-bit buffer. An attacker could potentially have crashed a service using stb_image, or read up to 1024 bytes of non-consecutive heap data without control over the read location. (CVE-2021-42716)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42715
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42716
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TDGZFLBOP27LZKLH45WQLSNPSPP7S7Z/
========================

Updated package in core/updates_testing:
========================
curaengine-4.8.0-1.1.mga8

from SRPM:
curaengine-4.8.0-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2021-11-20 11:06:26 CET
MGA8-64 Plasma on Lenovo B50
No installation issues.
The info in MCC reads: "curaengine - Engine for processing 3D models into G-code instructions for 3D printers​"
Sincce this is no previous update, and no wiki, and this 3D is untrodden territory for me, all I can say it apparently does not disturb anything else.
Leaving for others who might have more knowledge and experience on the subject.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.