Bug#1010349: closed by Sylvain Beucler <beuc at beuc.net> (Re: librecad: CVE-2021-21897 - heap-based buffer overflow loading a DXF file via embedded dxflib)

Salvatore Bonaccorso carnil at debian.org
Wed Aug 3 18:36:31 BST 2022


Hey all,

On Wed, Aug 03, 2022 at 03:51:03PM +0000, Debian Bug Tracking System wrote:
> On Sat, 28 May 2022 18:36:29 +0200 Sylvain Beucler <beuc at beuc.net> wrote:
> > It appears librecad is not affected (all dists):
> > 
> > - the package uses system dxflib, cf. debian/patches/debian_build.patch
> > 
> > - while there appears to be similar vulnerable code in
> > libraries/jwwlib/src/dl_jww-copy.cpp (grep for 'groupCode==42'), this
> > particular file is not used in the build process AFAICT
> > 
> > Can you confirm and update the security tracker accordingly?
> 
> I marked CVE-2021-21897 as <not-affected> in the security tracker and I'm
> closing this bug.

Actually I believe this should be either:

- kept unfixed, as the source is affected but mark it as (unimportant)
  as it has no relevance for the binary packages built 
- drop the entry completely (see previous examples commited by jmm on
  that matter hen the embedded source had no security impact at all to
  the source package mentioned).

Regards,
Salvatore



More information about the debian-science-maintainers mailing list