Bug 2468014

Summary: CVE-2023-47268 prusa-slicer: PrusaSlicer: Arbitrary code execution via crafted 3mf project file [fedora-all]
Product: [Fedora] Fedora Reporter: Keith Grant <kgrant>
Component: prusa-slicerAssignee: Jan Pazdziora <adelton>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: adelton, jstanek, j, laurent.rineau__fedora, mhroncok, spotrh
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["f6d6cbe4-4099-4343-b6ce-826bae9daa92"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-05-20 12:30:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2467952    

Description Keith Grant 2026-05-08 11:52:53 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Jan Pazdziora 2026-05-09 05:14:50 UTC
Per https://nvd.nist.gov/vuln/detail/CVE-2023-47268,

> In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.

Interestingly, https://access.redhat.com/security/cve/cve-2023-47268 does not have information about which versions might be vulnerable.

Searching around, https://github.com/prusa3d/PrusaSlicer/commit/3f3a3dd190b7b7b6c0fd84a45e2c71236c3460b2 which went into version_2.7.0-alpha1 adds the notification about the post-processing code which I assume is enough as a mitigation of the exploit. So I take it that indeed, prusa-slicer 2.7.0+ is not vulnerable.

Comment 2 Jan Pazdziora 2026-05-09 05:18:53 UTC
Further looking at https://dl.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/os/Packages/p/, Fedora 42 release kicked off with prusa-slicer-2.9.0-5.fc42.

So it is my belief that none of the currently supported Fedora versions has the problem.

Given the findings above, is it OK to close this bugzilla as NOTABUG, or is anything else needed?

Comment 3 Jan Pazdziora 2026-05-20 12:30:05 UTC
Sadly no response to my needinfo, I shall resolve as proposed above.

Comment 4 Keith Grant 2026-05-20 13:31:04 UTC
Hi Jan, apologies for missing the needinfo on this. Yes, closing this notabug is fine if the affected versions weren't shipped to customers.

Comment 5 Jan Pazdziora 2026-05-20 13:52:12 UTC
Well, Fedora does not have customers, Fedora users don't have any contract with Red Hat and don't pay for Fedora.

Affected versions were part of previous Fedora versions, so if users did not upgrade to Fedora 42+ or did not upgrade their prusa-slicer package for any reason, they might have installation with the unmitigated vulnerability.

However, we have no release vehicle to get any fix to Fedora 41-.