Fedora Account System
Red Hat Associate
Red Hat Customer
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Per https://nvd.nist.gov/vuln/detail/CVE-2023-47268, > In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. Interestingly, https://access.redhat.com/security/cve/cve-2023-47268 does not have information about which versions might be vulnerable. Searching around, https://github.com/prusa3d/PrusaSlicer/commit/3f3a3dd190b7b7b6c0fd84a45e2c71236c3460b2 which went into version_2.7.0-alpha1 adds the notification about the post-processing code which I assume is enough as a mitigation of the exploit. So I take it that indeed, prusa-slicer 2.7.0+ is not vulnerable.
Further looking at https://dl.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/os/Packages/p/, Fedora 42 release kicked off with prusa-slicer-2.9.0-5.fc42. So it is my belief that none of the currently supported Fedora versions has the problem. Given the findings above, is it OK to close this bugzilla as NOTABUG, or is anything else needed?
Sadly no response to my needinfo, I shall resolve as proposed above.
Hi Jan, apologies for missing the needinfo on this. Yes, closing this notabug is fine if the affected versions weren't shipped to customers.
Well, Fedora does not have customers, Fedora users don't have any contract with Red Hat and don't pay for Fedora. Affected versions were part of previous Fedora versions, so if users did not upgrade to Fedora 42+ or did not upgrade their prusa-slicer package for any reason, they might have installation with the unmitigated vulnerability. However, we have no release vehicle to get any fix to Fedora 41-.