29720 – libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343

Bug 29720 - libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343

Summary: libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	29996
	Show dependency tree / graph

Reported:	2021-12-01 23:57 CET by David Walser
Modified:	2022-04-24 12:44 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	libdxfrw-1.0.1-1.mga8.src.rpm
CVE:	CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-01 23:57:59 CET

Fedora has issued an advisory today (December 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RDI3HCTCACMIC7I4ILB3NRU6DCMADI5H/

The issues were fixed recently in upstream git.

Mageia 8 is also affected.

Fedora also rebuilt librecad against the updated library, but since we already switched to the 1.0.1 fork, we probably don't need to.

David Walser 2021-12-01 23:58:20 CET

Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-12-03 22:05:40 CET

Debian-LTS has issued an advisory for this today (December 3):
https://www.debian.org/lts/security/2021/dla-2838

Comment 2 Lewis Smith 2021-12-05 19:25:09 CET

This SRPM is officially down to Jani, who has done recent work on it; so assigning to you.

Assignee: bugsquad => jani.valimaa

Comment 3 David Walser 2022-02-13 18:54:21 CET

Fedora has issued an advisory on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUMH3CWGVSMR2UIZEA35Q5UB7PDVVVYS/

They added one more security fix from upstream.

Mageia 8 is also affected.

There are also some needed security fixes in librecad (Bug 29996).

Summary: libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, and CVE-2021-21900 => libdxfrw new security issues CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343
Blocks: (none) => 29996

Comment 4 David Walser 2022-03-03 22:20:03 CET

openSUSE has issued an advisory for the first three CVEs today (March 3):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6TWLTKRSHNPCLQL7UXQSITHNYJT5XSK5/

Comment 5 Nicolas Salguero 2022-04-21 11:50:33 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21898)

A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21899)

A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dxf file can lead to a use-after-free vulnerability. An attacker can provide a malicious file to trigger this vulnerability. (CVE-2021-21900)

In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of libdxfrw allows an attacker to crash the application using a crafted DXF document. (CVE-2021-45343)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45343
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RDI3HCTCACMIC7I4ILB3NRU6DCMADI5H/
https://www.debian.org/lts/security/2021/dla-2838
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VUMH3CWGVSMR2UIZEA35Q5UB7PDVVVYS/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6TWLTKRSHNPCLQL7UXQSITHNYJT5XSK5/
========================

Updated packages in core/updates_testing:
========================
dwg2dxf-1.0.1-1.1.mga8
lib(64)dxfrw1-1.0.1-1.1.mga8
lib(64)dxfrw-devel-1.0.1-1.1.mga8

from SRPM:
libdxfrw-1.0.1-1.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: jani.valimaa => qa-bugs
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-21898, CVE-2021-21899, CVE-2021-21900, CVE-2021-45343

Comment 6 Thomas Andrews 2022-04-21 20:29:14 CEST

I have installed this and the update for libreCAD (Bug 29996), with no installation issues. 

I have next to no experience with libreCAD, but as far as basic function of some of the various tools is concerned, it appears to be OK. It would be better if someone with more experience could give them a look.

CC: (none) => andrewsfarm

Comment 7 Dave Hodgins 2022-04-24 03:32:26 CEST

Oking and validating as per bug 29996#c26

Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-24 03:41:27 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-04-24 12:44:43 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0151.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.