Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] This is a fix for two minor security issues in buster: https://security-tracker.debian.org/tracker/CVE-2020-28599 https://security-tracker.debian.org/tracker/CVE-2020-28600 It was coordinated with the security team to take this through buster-proposed-updates rather than handle through the security team. [ Impact ] In theory the bug could allow arbitrary code execution from loading a carefully crafted STL file into desktop application openscad. OpenSCAD is a script language/compiler for programatically building 3D models, eg. for 3D-printing purposes. STL is a file format for storing 3D model data. The OpenSCAD language has functions for reading STL files. Thus to exploit this bug would involve a user loading or writing an openscad script which references the malicious STL file. Thus not too likely a scenario, but on the other hand probably still well within what is considered a security issue nowadays. [ Tests ] The patch (from upstream) includes test cases for the bugs. I verified that these tests fail without the fix, and that they pass with the fix. In addition, openscad has a comprehensive test suite, all of which passes in the fixed package. [ Risks ] The risk from this upload is low: - The fix only touches the STL import function. All other functionality in the program is unaffected. - The patch has received extensive testing in later upstream releases. - The fix is covered in an automatic test suite, all of which passes. The addition of new tests in the upload is not strictly necessary to fix the bug. It seems good to include them (to have a higher confidence that the backport of the fix actually works). But an alternative is to prepare a smaller upload containg *just* the changes to the C++ source (and corresponding d/changelog entry). [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] 1. Fixes to the C++ source code import_stl() function to properly handle invalid input files. This is a straight backport of the upstream fix. 2. Addition of three new tests to the automatic test suite, which test the fix. [ Other info ] The attached debdiff contains three binary files. These are part of the additions to the test suite. They are images containing the expected graphical output of the openscad program from the tests.
Attachment:
buster_openscad_debdiff.txt
Description: Binary data