Bug#996023: buster-pu: package openscad/2019.01~RC2-2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + confirmed

On Sun, 2021-10-10 at 14:58 +0200, Kristian Nielsen wrote:
> This is a fix for two minor security issues in buster:
> 
>   https://security-tracker.debian.org/tracker/CVE-2020-28599
>   https://security-tracker.debian.org/tracker/CVE-2020-28600
> 
> It was coordinated with the security team to take this through
> buster-proposed-updates rather than handle through the security team.
> 
> [ Impact ]
> 
> In theory the bug could allow arbitrary code execution from loading a
> carefully crafted STL file into desktop application openscad.
> OpenSCAD is a
> script language/compiler for programatically building 3D models, eg.
> for
> 3D-printing purposes. STL is a file format for storing 3D model data.
> The
> OpenSCAD language has functions for reading STL files. Thus to
> exploit this
> bug would involve a user loading or writing an openscad script which
> references the malicious STL file. Thus not too likely a scenario,
> but on
> the other hand probably still well within what is considered a
> security
> issue nowadays.
> 

Please go ahead.

Regards,

Adam