Bug 1200898 - (CVE-2022-33025) VUL-0: CVE-2022-33025: libredwg: Multiple issues were discovered in LibreDWG v0.12.4.4608
(CVE-2022-33025)
VUL-0: CVE-2022-33025: libredwg: Multiple issues were discovered in LibreDWG ...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Jan Engelhardt
Security Team bot
https://smash.suse.de/issue/335427/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-24 07:19 UTC by Alexander Bergmann
Modified: 2022-06-26 11:41 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-06-24 07:19:46 UTC
SUSE:Factory:Head/libredwg

Multiple issues were discovered in LibreDWG v0.12.4.4608

CVE-2022-33025 - heap-use-after-free via the function decode_preR13_section at decode_r11.c
CVE-2022-33026 - heap buffer overflow via the function bit_calc_CRC at bits.c
CVE-2022-33027 - heap-use-after-free via the function dwg_add_handleref at dwg.c
CVE-2022-33028 - heap buffer overflow via the function dwg_add_object at decode.c
CVE-2022-33032 - heap-buffer-overflow via the function decode_preR13_section_hdr at decode_r11.c
CVE-2022-33033 - double-free via the function dwg_read_file at dwg.c
CVE-2022-33034 - stack overflow via the function copy_bytes at decode_r2007.c

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-33025
https://nvd.nist.gov/vuln/detail/CVE-2022-33026
https://nvd.nist.gov/vuln/detail/CVE-2022-33027
https://nvd.nist.gov/vuln/detail/CVE-2022-33028
https://nvd.nist.gov/vuln/detail/CVE-2022-33032
https://nvd.nist.gov/vuln/detail/CVE-2022-33033
https://nvd.nist.gov/vuln/detail/CVE-2022-33034
Comment 1 Alexander Bergmann 2022-06-24 07:24:24 UTC
I've missed one CVE:

- CVE-2022-33024 - Assertion `!dat->bit' failed. Aborted

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-33024