diff --git a/CVE-2022-0496.patch b/CVE-2022-0496.patch new file mode 100644 index 0000000..f6683fc --- /dev/null +++ b/CVE-2022-0496.patch @@ -0,0 +1,76 @@ +From 00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001 +From: Torsten Paul +Date: Sat, 5 Feb 2022 18:38:31 +0100 +Subject: [PATCH] CVE-2022-0496 Out-of-bounds memory access in DXF loader. + +Public issue: +https://github.com/openscad/openscad/issues/4037 + +Fix in master branch: +https://github.com/openscad/openscad/pull/4090 +--- + src/dxfdata.cc | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/src/dxfdata.cc b/src/dxfdata.cc +index 2bb7236746..aa6b6f3976 100644 +--- a/src/dxfdata.cc ++++ b/src/dxfdata.cc +@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (k == idx || lines[k].disabled) continue; + goto next_open_path_j; + } +@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_open_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_open_path; +@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa, + auto lv = grid.data(ref_point[0], ref_point[1]); + for (size_t ki = 0; ki < lv.size(); ++ki) { + int k = lv.at(ki); ++ if (k < 0 || k >= lines.size()) { ++ LOG(message_group::Warning,Location::NONE,"", ++ "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string())); ++ continue; ++ } + if (lines[k].disabled) continue; +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) { ++ auto idk0 = lines[k].idx[0]; // make it easier to read and debug ++ auto idk1 = lines[k].idx[1]; ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) { + current_line = k; + current_point = 0; + goto found_next_line_in_closed_path; + } +- if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) { ++ if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) { + current_line = k; + current_point = 1; + goto found_next_line_in_closed_path; diff --git a/CVE-2022-0497.patch b/CVE-2022-0497.patch new file mode 100644 index 0000000..53f5b3a --- /dev/null +++ b/CVE-2022-0497.patch @@ -0,0 +1,27 @@ +From 84addf3c1efbd51d8ff424b7da276400bbfa1a4b Mon Sep 17 00:00:00 2001 +From: Torsten Paul +Date: Sat, 5 Feb 2022 18:45:29 +0100 +Subject: [PATCH] CVE-2022-0497 Out-of-bounds memory access in comment parser. + +Public issue: +https://github.com/openscad/openscad/issues/4043 + +Fix in master branch: +https://github.com/openscad/openscad/pull/4044 +--- + src/comment.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/comment.cpp b/src/comment.cpp +index f02ad2c5f6..1ce3ab547b 100644 +--- a/src/comment.cpp ++++ b/src/comment.cpp +@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line) + } + + int end = start + 1; +- while (fulltext[end] != '\n') end++; ++ while (end < fulltext.size() && fulltext[end] != '\n') end++; + + std::string comment = fulltext.substr(start, end - start); + diff --git a/openscad.changes b/openscad.changes index 85b2609..164c589 100644 --- a/openscad.changes +++ b/openscad.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sun Feb 6 19:02:05 UTC 2022 - John Paul Adrian Glaubitz + +- Add patch to fix out-of-bounds memory access in DXF loader + + CVE-2022-0496.patch (boo#1195568, CVE-2022-0496) +- Add patch to fix out-of-bounds memory access in comment parser + + CVE-2022-0497.patch (boo#1195567, CVE-2022-0497) + ------------------------------------------------------------------- Fri Aug 27 07:43:42 UTC 2021 - Samu Voutilainen diff --git a/openscad.spec b/openscad.spec index 71b7305..f0c4b1a 100644 --- a/openscad.spec +++ b/openscad.spec @@ -1,7 +1,7 @@ # # spec file for package openscad # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,8 @@ Group: Productivity/Graphics/CAD URL: https://www.openscad.org/ Source: https://files.openscad.org/%{name}-%{version}.src.tar.gz Patch1: fix_build_with_cgal-5.3.patch +Patch2: CVE-2022-0496.patch +Patch3: CVE-2022-0497.patch BuildRequires: bison BuildRequires: double-conversion-devel BuildRequires: eigen3-devel @@ -65,6 +67,8 @@ aspects, e.g. modelling of machine parts. %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %qmake5 PREFIX=%{_prefix} CONFIG+=qopenglwidget CONFIG+=c++14