Accepting request 951958 from home:glaubitz:branches:graphics

- Add patch to fix out-of-bounds memory access in DXF loader + CVE-2022-0496.patch (boo#1195568, CVE-2022-0496) - Add patch to fix out-of-bounds memory access in comment parser + CVE-2022-0497.patch (boo#1195567, CVE-2022-0497) OBS-URL: https://build.opensuse.org/request/show/951958 OBS-URL: https://build.opensuse.org/package/show/graphics/openscad?expand=0&rev=44
2022-02-07 06:33:44 +00:00 · 2022-02-07 06:33:44 +00:00 · 506f7ea3e8
commit 506f7ea3e8
parent 604dc604cc
4 changed files with 116 additions and 1 deletions
--- a/CVE-2022-0496.patch
+++ b/CVE-2022-0496.patch
@ -0,0 +1,76 @@
+From 00a4692989c4e2f191525f73f24ad8727bacdf41 Mon Sep 17 00:00:00 2001
+From: Torsten Paul <Torsten.Paul@gmx.de>
+Date: Sat, 5 Feb 2022 18:38:31 +0100
+Subject: [PATCH] CVE-2022-0496 Out-of-bounds memory access in DXF loader.
+
+Public issue:
+https://github.com/openscad/openscad/issues/4037
+
+Fix in master branch:
+https://github.com/openscad/openscad/pull/4090
+---
+ src/dxfdata.cc | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/src/dxfdata.cc b/src/dxfdata.cc
+index 2bb7236746..aa6b6f3976 100644
+--- a/src/dxfdata.cc
+++ b/src/dxfdata.cc
+@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 				auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
+ 				for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 					int k = lv.at(ki);
+                    if (k < 0 || k >= lines.size()) {
+                        LOG(message_group::Warning,Location::NONE,"",
+                            "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+                        continue;
+                    }
+ 					if (k == idx || lines[k].disabled) continue;
+ 					goto next_open_path_j;
+ 				}
+@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 				int k = lv.at(ki);
+                if (k < 0 || k >= lines.size()) {
+                    LOG(message_group::Warning,Location::NONE,"",
+                        "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+                    continue;
+                }
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+                auto idk0 = lines[k].idx[0];    // make it easier to read and debug
+                auto idk1 = lines[k].idx[1];
+				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_open_path;
+ 				}
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+				if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_open_path;
+@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 				int k = lv.at(ki);
+                if (k < 0 || k >= lines.size()) {
+                    LOG(message_group::Warning,Location::NONE,"",
+                        "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
+                    continue;
+                }
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
+                auto idk0 = lines[k].idx[0];    // make it easier to read and debug
+                auto idk1 = lines[k].idx[1];
+				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_closed_path;
+ 				}
+-					if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
+                if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_closed_path;
--- a/CVE-2022-0497.patch
+++ b/CVE-2022-0497.patch
@ -0,0 +1,27 @@
+From 84addf3c1efbd51d8ff424b7da276400bbfa1a4b Mon Sep 17 00:00:00 2001
+From: Torsten Paul <Torsten.Paul@gmx.de>
+Date: Sat, 5 Feb 2022 18:45:29 +0100
+Subject: [PATCH] CVE-2022-0497 Out-of-bounds memory access in comment parser.
+
+Public issue:
+https://github.com/openscad/openscad/issues/4043
+
+Fix in master branch:
+https://github.com/openscad/openscad/pull/4044
+---
+ src/comment.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/comment.cpp b/src/comment.cpp
+index f02ad2c5f6..1ce3ab547b 100644
+--- a/src/comment.cpp
+++ b/src/comment.cpp
+@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line)
+ 	}
+ 
+ 	int end = start + 1;
+-	while (fulltext[end] != '\n') end++;
+	while (end < fulltext.size() && fulltext[end] != '\n') end++;
+ 
+ 	std::string comment = fulltext.substr(start, end - start);
+ 
--- a/openscad.changes
+++ b/openscad.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Sun Feb  6 19:02:05 UTC 2022 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add patch to fix out-of-bounds memory access in DXF loader
+  + CVE-2022-0496.patch (boo#1195568, CVE-2022-0496)
+- Add patch to fix out-of-bounds memory access in comment parser
+  + CVE-2022-0497.patch (boo#1195567, CVE-2022-0497)
+
 -------------------------------------------------------------------
 Fri Aug 27 07:43:42 UTC 2021 - Samu Voutilainen <smar@smar.fi>

--- a/openscad.spec
+++ b/openscad.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openscad
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,6 +25,8 @@ Group:          Productivity/Graphics/CAD
 URL:            https://www.openscad.org/
 Source:         https://files.openscad.org/%{name}-%{version}.src.tar.gz
 Patch1:         fix_build_with_cgal-5.3.patch
+Patch2:         CVE-2022-0496.patch
+Patch3:         CVE-2022-0497.patch
 BuildRequires:  bison
 BuildRequires:  double-conversion-devel
 BuildRequires:  eigen3-devel
@ -65,6 +67,8 @@ aspects, e.g. modelling of machine parts.
 %setup -q

 %patch1 -p1
+%patch2 -p1
+%patch3 -p1

 %build
 %qmake5 PREFIX=%{_prefix} CONFIG+=qopenglwidget CONFIG+=c++14