Bug 1192936 - (CVE-2021-21898) VUL-0: CVE-2021-21898: libdxfrw: out-of-bounds write in dwgCompressor:decompress18()
(CVE-2021-21898)
VUL-0: CVE-2021-21898: libdxfrw: out-of-bounds write in dwgCompressor:decompr...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/315428/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-22 10:21 UTC by Thomas Leroy
Modified: 2022-05-09 07:32 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-11-22 10:21:52 UTC
CVE-2021-21898

A code execution vulnerability exists in the dwgCompressor::decompress18()
functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted
.dwg file can lead to an out-of-bounds write. An attacker can provide a
malicious file to trigger this vulnerability.

Upstream commit in librecad/libdxfrw:
https://github.com/LibreCAD/libdxfrw/commit/ba3fa95648bef948e008dfbdd31a4d21badd71f0

The changes of the librecad/libdxfrw upstream commit has been included in a libdxfrw update commit in a librecad/librecad:
https://github.com/LibreCAD/LibreCAD/commit/33b34d4a4acb7a681462626ef442013528c69faa

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21898
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1349
Comment 1 Thomas Leroy 2021-11-22 12:16:45 UTC
Affected codestreams:
- openSUSE:Backports:SLE-15-SP1:Update
- openSUSE:Backports:SLE-15-SP2:Update
- openSUSE:Backports:SLE-15-SP3:Update
- openSUSE:Leap:15.2:Update
- openSUSE:Factory
Comment 2 Jan Engelhardt 2021-12-30 17:45:02 UTC
librecad does not use the bundled libdxfrw, we even have a rm -Rf line in the build recipe to make sure that is the case.

Reassigning to libdxfrw.
Comment 3 Jiri Slaby 2021-12-31 10:34:57 UTC
(In reply to Thomas Leroy from comment #0)
> The changes of the librecad/libdxfrw upstream commit has been included in a
> libdxfrw update commit in a librecad/librecad:
> https://github.com/LibreCAD/LibreCAD/commit/
> 33b34d4a4acb7a681462626ef442013528c69faa

Commit log of that states:
> synced libdxfrw with upstream version
> fcd977cc7f8f6cc7f012e5b72d33cf7d77b3fa69; created new branch LibreCAD_2
> there to track changes

And factory is exactly at that commit:
https://build.opensuse.org/package/view_file/openSUSE:Factory/libdxfrw/_servicedata?expand=1
 ->
<param name="changesrevision">fcd977cc7f8f6cc7f012e5b72d33cf7d77b3fa69</param>

So factory contains the fix already.

The rest needs to be checked yet (if it contains even the vulnerability).
Comment 4 Jiri Slaby 2022-01-04 09:30:51 UTC
Factory is already fixed with the recent update.

The rest (leap + backports), it's close to impossible to fix by the three CVE patches (the code is way too old/different and the changes are very intrusive). Instead, we could upgrade both libdxfrw and librecad to what is in factory.
Comment 5 Thomas Leroy 2022-01-05 09:21:22 UTC
(In reply to Jiri Slaby from comment #4)
> Factory is already fixed with the recent update.

Indeed, great.

> The rest (leap + backports), it's close to impossible to fix by the three
> CVE patches (the code is way too old/different and the changes are very
> intrusive). Instead, we could upgrade both libdxfrw and librecad to what is
> in factory.

Since Leap:15.2 is EOL now, only openSUSE:Backports:SLE-15-SP{3,4} and openSUSE:Leap:15.3:Update should be checked now. Is backporting on these versions still too complicated?
Comment 6 Jiri Slaby 2022-01-05 09:29:16 UTC
(In reply to Thomas Leroy from comment #5)
> Since Leap:15.2 is EOL now, only openSUSE:Backports:SLE-15-SP{3,4} and
> openSUSE:Leap:15.3:Update should be checked now. Is backporting on these
> versions still too complicated?

Yes, all of them contain the same old sources. libdxfrw and librecad were not updated for ages as upstream stalled. It resurrected only a year or so ago and they were able to release a more or less stable release of both the packages weeks ago (2.2-rc3). I have been using a librecad git snapshot with embedded libdxfrw for ~5 years with no serious problems.
Comment 7 Thomas Leroy 2022-01-05 09:46:50 UTC
(In reply to Jiri Slaby from comment #6)
> Yes, all of them contain the same old sources. libdxfrw and librecad were
> not updated for ages as upstream stalled. It resurrected only a year or so
> ago and they were able to release a more or less stable release of both the
> packages weeks ago (2.2-rc3). I have been using a librecad git snapshot with
> embedded libdxfrw for ~5 years with no serious problems.

Alright. If the newer versions are less stable than the older ones, we will have to find a compromise between stability and security. Nevertheless, since these bugs only affect openSUSE, I think we could version update the affected packages, which is better from a security point of view
Comment 8 Jiri Slaby 2022-01-05 10:04:12 UTC
(In reply to Thomas Leroy from comment #7)
> since these bugs only affect openSUSE, I think we could version update the
> affected packages, which is better from a security point of view

This is something to be blessed by the librecad maintainer too ^^.
Comment 9 Jan Engelhardt 2022-01-05 10:09:10 UTC
You have my blessings.
Comment 10 Jiri Slaby 2022-01-05 10:14:29 UTC
(In reply to Jan Engelhardt from comment #9)
> You have my blessings.

OK, waiting for
https://github.com/LibreCAD/LibreCAD/issues/1488
though. (To replace the reverts by a proper fix.)
Comment 11 OBSbugzilla Bot 2022-02-02 08:20:03 UTC
This is an autogenerated message for OBS integration:
This bug (1192936) was mentioned in
https://build.opensuse.org/request/show/950668 Backports:SLE-15-SP3 / libdxfrw+librecad
Comment 12 Jiri Slaby 2022-02-07 07:55:47 UTC
(In reply to Jan Engelhardt from comment #9)
> You have my blessings.

Now, you'd have to bless (aka review) it also in the SR:

(In reply to OBSbugzilla Bot from comment #11)
> https://build.opensuse.org/request/show/950668
Comment 13 Swamp Workflow Management 2022-03-03 02:17:46 UTC
openSUSE-SU-2022:0067-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1192936,1192937,1192938
CVE References: CVE-2021-21898,CVE-2021-21899,CVE-2021-21900
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    libdxfrw-1.0.1+git.20220109-bp153.2.3.1, librecad-2.2.0~rc3-bp153.2.3.1
Comment 14 Jiri Slaby 2022-05-09 07:18:02 UTC
This is long fixed.
Comment 15 Thomas Leroy 2022-05-09 07:32:37 UTC
openSUSE:Factory, openSUSE:Backports:SLE-15-SP3:Update and openSUSE:Backports:SLE-15-SP4 fixed, closing.