Bug#1010349: closed by Sylvain Beucler <beuc at beuc.net> (Re: librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF file via embedded dxflib)
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 3 18:36:31 BST 2022
Hey all,
On Wed, Aug 03, 2022 at 03:51:03PM +0000, Debian Bug Tracking System wrote:
> On Sat, 28 May 2022 18:36:29 +0200 Sylvain Beucler <beuc at beuc.net> wrote:
> > It appears librecad is not affected (all dists):
> >
> > - the package uses system dxflib, cf. debian/patches/debian_build.patch
> >
> > - while there appears to be similar vulnerable code in
> > libraries/jwwlib/src/dl_jww-copy.cpp (grep for 'groupCode==42'), this
> > particular file is not used in the build process AFAICT
> >
> > Can you confirm and update the security tracker accordingly?
>
> I marked CVE-2021-21897 as <not-affected> in the security tracker and I'm
> closing this bug.
Actually I believe this should be either:
- kept unfixed, as the source is affected but mark it as (unimportant)
as it has no relevance for the binary packages built
- drop the entry completely (see previous examples commited by jmm on
that matter hen the embedded source had no security impact at all to
the source package mentioned).
Regards,
Salvatore
More information about the debian-science-maintainers
mailing list