Bug#986328: unblock: lib3mf/1.8.1+ds-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package lib3mf
[ Reason ]
This is a targeted fix, a backport of upstream fix for CVE-2021-21772, which
is a use-after-free on user-controlled input:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985092
https://github.com/3MFConsortium/lib3mf/issues/254
[ Impact ]
This is a published security bug in upstream lib3mf.
[ Tests ]
- We obtained a (non-published) .3mf that triggers the bug. I verified
(with Valgrind) that opening this 3MF file triggers a use-after-free in
lib3mf_1.8.1+ds-3.1 and that it does not in lib3mf_1.8.1+ds-4.
- Package `openscad', the main reverse dependency, has a comprehensive
testsuite which passes with lib3mf_1.8.1+ds-4.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock lib3mf/1.8.1+ds-4
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru lib3mf-1.8.1+ds/debian/changelog lib3mf-1.8.1+ds/debian/changelog
--- lib3mf-1.8.1+ds/debian/changelog 2020-12-06 02:27:21.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/changelog 2021-04-01 21:25:54.000000000 +0200
@@ -1,3 +1,10 @@
+lib3mf (1.8.1+ds-4) unstable; urgency=medium
+
+ * Fix use-after-free (CVE-2021-21772), backporting fix from v2.1.1
+ (Closes: #985092)
+
+ -- Kristian Nielsen <knielsen@knielsen-hq.org> Thu, 01 Apr 2021 21:25:54 +0200
+
lib3mf (1.8.1+ds-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru lib3mf-1.8.1+ds/debian/control lib3mf-1.8.1+ds/debian/control
--- lib3mf-1.8.1+ds/debian/control 2019-01-20 18:32:34.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/control 2021-04-01 21:25:54.000000000 +0200
@@ -2,6 +2,7 @@
Section: libs
Priority: optional
Maintainer: Torsten Paul <Torsten.Paul@gmx.de>
+Uploaders: Kristian Nielsen <knielsen@knielsen-hq.org>
Build-Depends: debhelper (>=12~), pkg-kde-tools, cmake, libzip-dev, zlib1g-dev, uuid-dev
Standards-Version: 4.3.0
Homepage: https://github.com/3MFConsortium/lib3mf
diff -Nru lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch
--- lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch 1970-01-01 01:00:00.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch 2021-04-01 21:25:54.000000000 +0200
@@ -0,0 +1,76 @@
+From: Kristian Nielsen <knielsen@knielsen-hq.org>
+Date: Thu, 1 Apr 2021 21:28:00 +0100
+Subject: Remove unnecessary zip_source_close
+
+This patch fixes CVE-2021-21772, a use-after-free bug. It is a
+backport of the upstream fix in v2.1.1.
+
+Forwarded: not-needed
+---
+ Include/Common/OPC/NMR_OpcPackageReader.h | 1 -
+ Source/Common/OPC/NMR_OpcPackageReader.cpp | 16 ++++++----------
+ 2 files changed, 6 insertions(+), 11 deletions(-)
+
+--- a/Include/Common/OPC/NMR_OpcPackageReader.h
++++ b/Include/Common/OPC/NMR_OpcPackageReader.h
+@@ -54,7 +54,6 @@ namespace NMR {
+ std::vector<nfByte> m_Buffer;
+ zip_error_t m_ZIPError;
+ zip_t * m_ZIParchive;
+- zip_source_t * m_ZIPsource;
+ std::map <std::string, nfUint64> m_ZIPEntries;
+ std::map <std::string, POpcPackagePart> m_Parts;
+
+diff --git a/Source/Common/OPC/NMR_OpcPackageReader.cpp b/Source/Common/OPC/NMR_OpcPackageReader.cpp
+index 16dd2e8c..4f3a604d 100644
+--- a/Source/Common/OPC/NMR_OpcPackageReader.cpp
++++ b/Source/Common/OPC/NMR_OpcPackageReader.cpp
+@@ -111,7 +111,7 @@ namespace NMR {
+ m_ZIPError.sys_err = 0;
+ m_ZIPError.zip_err = 0;
+ m_ZIParchive = nullptr;
+- m_ZIPsource = nullptr;
++ zip_source_t* pZIPsource = nullptr;
+
+ try {
+ // determine stream size
+@@ -131,20 +131,20 @@ namespace NMR {
+ #endif
+ if (bUseCallback) {
+ // read ZIP from callback: faster and requires less memory
+- m_ZIPsource = zip_source_function_create(custom_zip_source_callback, pImportStream.get(), &m_ZIPError);
++ pZIPsource = zip_source_function_create(custom_zip_source_callback, pImportStream.get(), &m_ZIPError);
+ }
+ else {
+ // read ZIP into memory
+ m_Buffer.resize((size_t)nStreamSize);
+ pImportStream->readBuffer(&m_Buffer[0], nStreamSize, true);
+- m_ZIPsource = zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError);
++ pZIPsource = zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError);
+ }
+- if (m_ZIPsource == nullptr)
++ if (pZIPsource == nullptr)
+ throw CNMRException(NMR_ERROR_COULDNOTREADZIPFILE);
+
+- m_ZIParchive = zip_open_from_source(m_ZIPsource, ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError);
++ m_ZIParchive = zip_open_from_source(pZIPsource, ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError);
+ if (m_ZIParchive == nullptr) {
+- m_ZIParchive = zip_open_from_source(m_ZIPsource, ZIP_RDONLY, &m_ZIPError);
++ m_ZIParchive = zip_open_from_source(pZIPsource, ZIP_RDONLY, &m_ZIPError);
+ if (m_ZIParchive == nullptr)
+ throw CNMRException(NMR_ERROR_COULDNOTREADZIPFILE);
+ else
+@@ -208,13 +208,9 @@ namespace NMR {
+ if (m_ZIParchive != nullptr)
+ zip_close(m_ZIParchive);
+
+- if (m_ZIPsource != nullptr)
+- zip_source_close(m_ZIPsource);
+-
+ zip_error_fini(&m_ZIPError);
+ m_Buffer.resize(0);
+
+- m_ZIPsource = nullptr;
+ m_ZIParchive = nullptr;
+ }
+
diff -Nru lib3mf-1.8.1+ds/debian/patches/series lib3mf-1.8.1+ds/debian/patches/series
--- lib3mf-1.8.1+ds/debian/patches/series 2020-12-06 02:26:45.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/patches/series 2021-04-01 21:07:16.000000000 +0200
@@ -1 +1,2 @@
link-z.patch
+fix_use_after_free.patch
Reply to: