Hi everyone. While taking a tour along the upstream websites of some of my favourite software packages I noticed a couple of issues have since been discovered and resolved with Mageia 9's bundled LibreCAD 2.2.0. PROBLEM #1 -- Vulnerability Fixes From upstream: Bugfix release 2.2.0.1 This is a bugfix release for official stable release 2.2.0. It fixes a minor vulnerability (CVE-2023-30259) with a mature shapelib contained in our codebase. The vulnerability addresses only the plugin Importshp, which is used to import shape files (SHP/SHX/DBF). Shape files are used in surveying and so do not affect the most users. As this is probably not a widely used plugin, the fix was just to remove the plugin. And: Bugfix release 2.2.0.2 This is a bugfix release for official stable release 2.2.0. It fixes 3 minor issue: * An undetected vulnerability, opening malformed LFF font files caused a crash * Format issues in bundled fonts * A regression, finding nearest points on ellipses caused a crash PROBLEM #2 -- Wrong (out-of-date) libdxfrw Poking around in one of our mirrors, I saw that the patched 2.2.0.2 version above is already available in Cauldron, but this also brought to my attention another discrepancy. Even in Cauldron we're still packaging the outdated 1.1.0-RC1 for libdxfrw from 2022-06-07 when we should be offering libdxfrw-LC2.2.0 final which coincides with the release date of the main LibreCAD 2.2.0 stable release, 2022-12-17. We've seen in the past that letting libdxfrw fall out of sync with LibreCAD will break the program's ability to open and save drawings (Bug 29996 comment 21 onward). Fortunately the differences between the RC1 and its final must not have been so large as to cause any real mayhem. Up to now I wasn't aware there was an issue. I wish the upstream website was clearer on the tight integration between the two components, or that they would fold libdxfrw directly into the main project. I think they're being kept separate for legacy reasons (?) as they used to be two independent projects. It's especially annoying how LibreCAD's README.md makes it sound as though libdxfrw is somehow optional: "libdxfrw is an associated project that allows LibreCAD to read DWG files," and links to the now long-defunct Sourceforge version of the project. As I understand it, going forward, libdxfrw's version numbering should match LibreCAD's from now on. Hopefully that will clear up some confusion. Anyway, the two packages *really* do need to be kept in sync. The current libdxfrw is available here (and scores us the latest dwg2dxf in the bargain): https://github.com/LibreCAD/libdxfrw My thanks in advance to anyone looking into this report specifically, and as always, to all Mageia contributors in general for your endless hard work.
CC: (none) => johnltw
Thanks for your report! Assigning to QA, Packages in 9/Core/Updates_testing: ====================== librecad-plugins-2.2.0.2-1.mga9 librecad-2.2.0.2-1.mga9 librecad-doc-2.2.0.2-1.mga9.noarch.rpm librecad-parts-2.2.0.2-1.mga9.noarch.rpm librecad-data-2.2.0.2-1.mga9.noarch.rpm dwg2dxf-2.2.0-1.mga9 lib64dxfrw-devel-2.2.0-1.mga9 lib64dxfrw1-2.2.0-1.mga9 libdxfrw-devel-2.2.0-1.mga9 libdxfrw1-2.2.0-1.mga9 From SRPMS: librecad-2.2.0.2-1.mga9.src.rpm libdxfrw-2.2.0-1.mga9.src.rpm
CC: (none) => geiger.david68210Assignee: bugsquad => qa-bugs
Hi David. Thank you for the rapid response. Testing on x86_64. I grabbed only the files a regular user would (i.e. everything but the devel and src packages). Test Results -- LibreCAD + libdxfrw (6 packages): * Error-free install. * Program started from terminal with no unexpected surprises. * I quickly banged together a floor plan for a tiny house. Exterior walls, interior walls, trimmed lines, divided lines, trimmed some more. Gave the little house a front door and dining table (i.e. inserted 2 prefab blocks from the parts library); edited the mirror-translation properties of the door to flip it around, added a hatch pattern to the walls... All basic real-world tasks appear good. * Available hatch patterns. Good. Available LFF fonts. Good. * I even made a few on-purpose mistakes along the way to check the program's error responses. All as expected. * Saved the drawing. Good. Re-opened the drawing. Good. Exported the drawing to PDF and inspected the result in Okular. Also good. * Opened/closed a couple of my older drawings, one small the other quite large. Nothing unexpected. * Consulted the man page. Good. Test Results -- dwg2dxf (1 package) + libdxfrw * At the terminal converted a DWG 2007 drawing to DXF 2007. Conversion successful. Opened and inspected the result in LibreCAD. Looks good. * Consulted the man page. Yep, good. That's about as thorough a tire-kicking as I think I could give it all in under 30 minutes. All good as far as I can tell, so I'll give it my stamp of approval. Thanks again. :-)
Advisory with SRPMs comment 1 and description: | This is a librecad bugfix release. It also "fixes" a minor vulnerability, CVE-2023-30259, by simply removing the affected plugin. libdxfrw is also updated to 2.2.0, because it needs to match with current librecad 2.2.0 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
Thank you all, and especially for that heads up and test, John! I believe no one in QA knows LibreCAD better :) Validating
Keywords: (none) => validated_updateCC: (none) => fri, sysadmin-bugsWhiteboard: (none) => MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2023-0152.html
Status: NEW => RESOLVEDResolution: (none) => FIXED