Bug 2080983 (CVE-2021-21897)

Summary: CVE-2021-21897 libdxflib: heap-based buffer overflow in the DL_Dxf:handleLWPolylineData function
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: code, hobbes1069, mhroncok, samuel.rakitnican, spotrh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-02 18:15:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2080988, 2080984, 2080985, 2080986, 2080987    
Bug Blocks:    

Description Marian Rehak 2022-05-02 14:11:56 UTC 
A code execution vulnerability exists in the DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Reference:

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346
Comment 1 Marian Rehak 2022-05-02 14:12:23 UTC 
Created cloudcompare tracking bugs for this issue:

Affects: fedora-all [bug 2080986]


Created libdxflib tracking bugs for this issue:

Affects: epel-7 [bug 2080985]
Affects: fedora-all [bug 2080984]


Created librecad tracking bugs for this issue:

Affects: epel-all [bug 2080988]
Affects: fedora-all [bug 2080987]
Comment 2 Ben Beasley 2022-05-02 14:55:23 UTC 
This one is a little annoying because the linked disclosure reports the issue is fixed:

> 2021-08-04 - Vendor Disclosure
> 2021-08-21 - Follow up with vendor
> 2021-08-27 - Vendor patched
> 
> 2021-09-07 - Public Release

but does not give a dxflib version number containing the fix nor a link to the relevant patch. Looking at the commit history of src/3rdparty/dxflib/src/dl_dxf.cpp, comparing commit messages against the disclosure description, and cross-checking dates, it appears that https://github.com/qcad/qcad/commit/1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8 is the fix. This commit is included in dxflib v3.26.4.6 and later.

Inspection of the source contents shows that the fix from that commit is already in the 3.26.4 release as packaged in the libdxflib package in all Fedora and EPEL releases except F36—where it is available in testing, but is held up by the Final Freeze.
Comment 3 Product Security DevOps Team 2022-05-02 18:15:00 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.