Bug#928477: librecad: denial-of-service CVE-2018-19105
Markus Koschany
apo at debian.org
Thu May 16 12:36:36 BST 2019
Control: tags -1 pending patch
On Sun, 5 May 2019 16:55:54 +0200 Markus Koschany <apo at debian.org> wrote:
> Package: librecad
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for librecad.
>
> CVE-2018-19105[0]:
> | LibreCAD 2.1.3 allows remote attackers to cause a denial of service
> | (0x89C04589 write access violation and application crash) or possibly
> | have unspecified other impact via a crafted file.
Dear maintainer,
I have uploaded a new revision of librecad to fix CVE-2018-19105. I
intend to file an unblock request as well.
Regards,
Markus
-------------- next part --------------
diff -Nru librecad-2.1.3/debian/changelog librecad-2.1.3/debian/changelog
--- librecad-2.1.3/debian/changelog 2018-09-17 19:23:30.000000000 +0200
+++ librecad-2.1.3/debian/changelog 2019-05-16 13:11:05.000000000 +0200
@@ -1,3 +1,13 @@
+librecad (2.1.3-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-19105:
+ A vulnerability was found in LibreCAD, a computer-aided design system,
+ which could be exploited to crash the application or cause other
+ unspecified impact when opening a specially crafted file. (Closes: #928477)
+
+ -- Markus Koschany <apo at debian.org> Thu, 16 May 2019 13:11:05 +0200
+
librecad (2.1.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru librecad-2.1.3/debian/patches/CVE-2018-19105.patch librecad-2.1.3/debian/patches/CVE-2018-19105.patch
--- librecad-2.1.3/debian/patches/CVE-2018-19105.patch 1970-01-01 01:00:00.000000000 +0100
+++ librecad-2.1.3/debian/patches/CVE-2018-19105.patch 2019-05-16 13:11:05.000000000 +0200
@@ -0,0 +1,92 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 16 May 2019 13:08:48 +0200
+Subject: CVE-2018-19105
+
+Bug-Upstream: https://github.com/LibreCAD/LibreCAD/issues/1038
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928477
+Origin: https://github.com/LibreCAD/LibreCAD/commit/6da7cc5f7f31afb008f03dbd11e07207ccd82085
+Origin: https://github.com/LibreCAD/LibreCAD/commit/8604f171ee380f294102da6154adf77ab754d403
+---
+ libraries/libdxfrw/src/drw_header.cpp | 8 ++++++++
+ libraries/libdxfrw/src/libdxfrw.cpp | 29 +++++++++++++++++++++++------
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libdxfrw/src/drw_header.cpp b/libraries/libdxfrw/src/drw_header.cpp
+index 1e0530d..6465669 100644
+--- a/libraries/libdxfrw/src/drw_header.cpp
++++ b/libraries/libdxfrw/src/drw_header.cpp
+@@ -20,6 +20,7 @@ DRW_Header::DRW_Header() {
+ linetypeCtrl = layerCtrl = styleCtrl = dimstyleCtrl = appidCtrl = 0;
+ blockCtrl = viewCtrl = ucsCtrl = vportCtrl = vpEntHeaderCtrl = 0;
+ version = DRW::AC1021;
++ curr = NULL;
+ }
+
+ void DRW_Header::addComment(std::string c){
+@@ -29,6 +30,13 @@ void DRW_Header::addComment(std::string c){
+ }
+
+ void DRW_Header::parseCode(int code, dxfReader *reader){
++ if (NULL == curr && 9 != code) {
++ DRW_DBG("invalid header code: ");
++ DRW_DBG(code);
++ DRW_DBG("\n");
++ return;
++ }
++
+ switch (code) {
+ case 9:
+ curr = new DRW_Variant();
+diff --git a/libraries/libdxfrw/src/libdxfrw.cpp b/libraries/libdxfrw/src/libdxfrw.cpp
+index 60d6b74..03da2a6 100644
+--- a/libraries/libdxfrw/src/libdxfrw.cpp
++++ b/libraries/libdxfrw/src/libdxfrw.cpp
+@@ -1839,17 +1839,27 @@ bool dxfRW::processDxf() {
+ DRW_DBG(sectionstr); DRW_DBG(" processDxf\n");
+ //found section, process it
+ if (sectionstr == "HEADER") {
+- processHeader();
++ if (!processHeader()) {
++ return false;
++ }
+ } else if (sectionstr == "CLASSES") {
+ // processClasses();
+ } else if (sectionstr == "TABLES") {
+- processTables();
++ if (!processTables()) {
++ return false;
++ }
+ } else if (sectionstr == "BLOCKS") {
+- processBlocks();
++ if (!processBlocks()) {
++ return false;
++ }
+ } else if (sectionstr == "ENTITIES") {
+- processEntities(false);
++ if (!processEntities(false)) {
++ return false;
++ }
+ } else if (sectionstr == "OBJECTS") {
+- processObjects();
++ if (!processObjects()) {
++ return false;
++ }
+ }
+ }
+ }
+@@ -1875,7 +1885,14 @@ bool dxfRW::processHeader() {
+ iface->addHeader(&header);
+ return true; //found ENDSEC terminate
+ }
+- } else header.parseCode(code, reader);
++ else {
++ DRW_DBG("unexpected 0 code in header!\n");
++ return false;
++ }
++ }
++ else {
++ header.parseCode(code, reader);
++ }
+ }
+ return true;
+ }
diff -Nru librecad-2.1.3/debian/patches/series librecad-2.1.3/debian/patches/series
--- librecad-2.1.3/debian/patches/series 2018-09-17 19:23:29.000000000 +0200
+++ librecad-2.1.3/debian/patches/series 2019-05-16 13:11:05.000000000 +0200
@@ -1,3 +1,4 @@
debian_build.patch
librecad-desktop.pach
0001-fix-build-with-Qt-5.11.patch
+CVE-2018-19105.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/debian-science-maintainers/attachments/20190516/1439816b/attachment-0001.sig>
More information about the debian-science-maintainers
mailing list