RFR: openscad update

To: debian-lts@lists.debian.org
Subject: RFR: openscad update
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 23 Jun 2022 17:01:05 +0200
Message-id: <[🔎] YrSAMaON1VxPiTI3@alf.mars>
Mail-followup-to: Helmut Grohne <helmut@subdivi.de>, debian-lts@lists.debian.org

Hi,

I've been looking into updating openscad in buster to fix CVE-2022-0496
and CVE-2022-0497. They're already fixed in bullseye and later. They are
input sanitization issues and CVE-2022-0496 needed a little porting of
the patch. I verified that the provided PoCs for CVE-2022-0496 do
trigger in an asan/ubsan build and no longer trigger after applying the
patch. The provided PoC for CVE-2022-0497 did not trigger in an
asan/ubsan build, but the fix is quite obvious and the PoC looks quite
sensitive to the memory layout, so that's unsurprising. Beyond the
build-time test suite, autopkgtests also pass.

Given the buster -> LTS transition, I'm unsure where to upload this to.
Adam's mail seems to indicate that it's late for the point release.

Full build available at https://subdivi.de/~helmut/openscad_lts/, and
.debdiff attached. Did I miss anything obvious on the process side?

Helmut

diff --minimal -Nru openscad-2019.01~RC2/debian/changelog openscad-2019.01~RC2/debian/changelog
--- openscad-2019.01~RC2/debian/changelog	2021-10-08 14:05:21.000000000 +0200
+++ openscad-2019.01~RC2/debian/changelog	2022-06-22 22:06:51.000000000 +0200
@@ -1,3 +1,10 @@
+openscad (2019.01~RC2-2+deb10u2) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix input validation (CVE-2022-0496 and CVE-2022-0497) (Closes: #1005641)
+
+ -- Helmut Grohne <helmut@subdivi.de>  Wed, 22 Jun 2022 22:06:51 +0200
+
 openscad (2019.01~RC2-2+deb10u1) buster; urgency=medium
 
   * Fix buffer overflows in STL parser (CVE-2020-28599 and
diff --minimal -Nru openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch
--- openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch	1970-01-01 01:00:00.000000000 +0100
+++ openscad-2019.01~RC2/debian/patches/CVE-2022-0496.patch	2022-06-22 22:06:51.000000000 +0200
@@ -0,0 +1,70 @@
+commit 770e3234cbfe66edbc0333f796b46d36a74aa652
+Author: ChrisCoxArt <ccox@comcast.net>
+Date:   Sat Jan 15 19:40:09 2022 -0800
+
+    add safety to line lookups in DXF import, fixes #4037
+    
+    Add safety (test for, and continue past, bad indices).
+    Report warnings about bad indices
+    Add variables just to make the array indices easier to read and debug.
+
+--- openscad-2019.01~RC2.orig/src/dxfdata.cc
++++ openscad-2019.01~RC2/src/dxfdata.cc
+@@ -438,6 +438,11 @@
+ 				auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
+ 				for (size_t ki = 0; ki < lv.size(); ki++) {
+ 					int k = lv.at(ki);
++					if (k < 0 || k >= lines.size()) {
++						PRINTB("WARNING: Bad DXF line index in %1$s.",
++								QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++						continue;
++					}
+ 					if (k == idx || lines[k].disabled) continue;
+ 					goto next_open_path_j;
+ 				}
+@@ -463,13 +468,20 @@
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ki++) {
+ 				int k = lv.at(ki);
++				if (k < 0 || k >= lines.size()) {
++					PRINTB("WARNING: Bad DXF line index in %1$s.",
++							QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++					continue;
++				}
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
++				auto idk0 = lines[k].idx[0];    // make it easier to read and debug
++				auto idk1 = lines[k].idx[1];
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_open_path;
+ 				}
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_open_path;
+@@ -498,13 +510,20 @@
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ki++) {
+ 				int k = lv.at(ki);
++				if (k < 0 || k >= lines.size()) {
++					PRINTB("WARNING: Bad DXF line index in %1$s.",
++							QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++					continue;
++				}
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
++				auto idk0 = lines[k].idx[0];    // make it easier to read and debug
++				auto idk1 = lines[k].idx[1];
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_closed_path;
+ 				}
+-					if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_closed_path;
diff --minimal -Nru openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch
--- openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch	1970-01-01 01:00:00.000000000 +0100
+++ openscad-2019.01~RC2/debian/patches/CVE-2022-0497.patch	2022-06-22 22:00:39.000000000 +0200
@@ -0,0 +1,19 @@
+commit b81369dffc3f385257a9b1f5c271118a88671d6d
+Author: eldstal <laeder.keps@gmail.com>
+Date:   Sun Jan 9 17:57:42 2022 +0100
+
+    Add file bounds check to comment parser
+
+diff --git a/src/comment.cc b/src/comment.cc
+index 25aba535b..c0051db56 100644
+--- a/src/comment.cpp
++++ b/src/comment.cpp
+@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line)
+ 	}
+ 
+ 	int end = start + 1;
+-	while (fulltext[end] != '\n') end++;
++	while (end < fulltext.size() && fulltext[end] != '\n') end++;
+ 
+ 	std::string comment = fulltext.substr(start, end - start);
+ 
diff --minimal -Nru openscad-2019.01~RC2/debian/patches/series openscad-2019.01~RC2/debian/patches/series
--- openscad-2019.01~RC2/debian/patches/series	2021-10-08 14:05:21.000000000 +0200
+++ openscad-2019.01~RC2/debian/patches/series	2022-06-22 22:06:20.000000000 +0200
@@ -8,3 +8,5 @@
 Make-sure-mainFilePath-is-absolute-from-the-start-of-pars.patch
 Use-an-absolute-path-for-OPENSCAD_FONT_PATH-in-testsuite.patch
 fix_stl_import.patch
+CVE-2022-0497.patch
+CVE-2022-0496.patch

Reply to:

Follow-Ups:
- Re: RFR: openscad update
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Re: RFR: openscad update
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: RFR: openscad update
  - From: Anton Gladky <gladk@debian.org>

Prev by Date: ckeditor4 security update
Next by Date: Re: RFR: openscad update
Previous by thread: ckeditor4 security update
Next by thread: Re: RFR: openscad update
Index(es):
- Date
- Thread