Bug 2468014
| Summary: | CVE-2023-47268 prusa-slicer: PrusaSlicer: Arbitrary code execution via crafted 3mf project file [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Keith Grant <kgrant> |
| Component: | prusa-slicer | Assignee: | Jan Pazdziora <adelton> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | rawhide | CC: | adelton, jstanek, j, laurent.rineau__fedora, mhroncok, spotrh |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["f6d6cbe4-4099-4343-b6ce-826bae9daa92"]} | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-05-20 12:30:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2467952 | ||
|
Description
Keith Grant
2026-05-08 11:52:53 UTC
Per https://nvd.nist.gov/vuln/detail/CVE-2023-47268, > In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. Interestingly, https://access.redhat.com/security/cve/cve-2023-47268 does not have information about which versions might be vulnerable. Searching around, https://github.com/prusa3d/PrusaSlicer/commit/3f3a3dd190b7b7b6c0fd84a45e2c71236c3460b2 which went into version_2.7.0-alpha1 adds the notification about the post-processing code which I assume is enough as a mitigation of the exploit. So I take it that indeed, prusa-slicer 2.7.0+ is not vulnerable. Further looking at https://dl.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/os/Packages/p/, Fedora 42 release kicked off with prusa-slicer-2.9.0-5.fc42. So it is my belief that none of the currently supported Fedora versions has the problem. Given the findings above, is it OK to close this bugzilla as NOTABUG, or is anything else needed? Sadly no response to my needinfo, I shall resolve as proposed above. Hi Jan, apologies for missing the needinfo on this. Yes, closing this notabug is fine if the affected versions weren't shipped to customers. Well, Fedora does not have customers, Fedora users don't have any contract with Red Hat and don't pay for Fedora. Affected versions were part of previous Fedora versions, so if users did not upgrade to Fedora 42+ or did not upgrade their prusa-slicer package for any reason, they might have installation with the unmitigated vulnerability. However, we have no release vehicle to get any fix to Fedora 41-. |