openSUSE Security Update: Security update for libdxfrw, librecad ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0067-1 Rating: important References: #1192936 #1192937 #1192938 Cross-References: CVE-2021-21898 CVE-2021-21899 CVE-2021-21900 CVSS scores: CVE-2021-21898 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21899 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21900 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for libdxfrw, librecad fixes the following issues: - Update to version 1.0.1+git.20220109: * fixed ambiguous error for DRW_Dimension::parseDwg() * fixed enless while()-loop for pre 2004 versions * dwgReader::readDwgObjects() stop reading after 1st error * dwgReader::readDwgEntities() stop reading after 1st error * replace ENTRY_PARSE macro with template method * remove unused DRW_Class::parseCode() method * protect vector.reserve() calls * Added NULL check for hatch code 93 * Fix bounds check in DRW_LWPolyline * fix, check maxClassNum for valid value * fixed wrong 2010+ check for 64-bit size * Set compiler warnings on by default, because makes harder for bugs to go undetected. modified: CMakeLists.txt * Fixed fall through and other warnings (#54) * fix “Vertex ID” printout - Update to version 1.0.1+git.20211110: * fixed heap use after free vulnerability CVE-2021-21900 (boo#1192938) * minor improvements to dwg2dxf, formatting and message output on success * fixed heap buffer overflow vulnerability CVE-2021-21899 (boo#1192937) * dwg2dxf - enable debug output of libdxfrw by command line switch * fixed out-of-bounds write vulnerability CVE-2021-21898 (boo#1192936) * fixed please note section formatting * updated README.md for LibreCAD_3 branch and sf.net successor * fixed LibreCAD 2 issue #1371, read failed with binary DXF * Use ununordered_map instead of map * manual merge changes from LibreCAD2 * and much more - Update to version 1.0.1+git.20200429: * Fix includes install dir * Export target as libdxfrw::libdxfrw to keep consistency with Conan packages * Add archive destination in install * Install DXFRW::dxfrw target * Remove duplicate target properties * Remove version from pkg-config file * Let CMake handle C++11 compiler definition * Change minimal required CMake version to 3.0 * cmake: add doc target * README.md: fix typo * cmake: generate and install pkgconfig * cmake: add one for dwg2dxf * cmake: set library VERSIONs * cmake: use GNUInstallDirs - Update to version 0.6.3+git.20190501: * Add build status and update example link * Add Travis-CI script * #10] Fix compilation on GCC * Fix bugs with .dwg import of TEXT and MTEXT entities * This was unnecessary * Link libdxfrw against libstdc++ * Return an error when the file ends prematurely * Add version getter * Fix polyline 2d/3d write * Initialize return buffers in GetRawChar8 et al. - update to 2.2.0-rc3 * major release * DWG imports are more reliable now * and a lot more of bugfixes and improvements Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or “zypper patch”. Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-67=1 Package List: - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): libdxfrw-devel-1.0.1+git.20220109-bp153.2.3.1 libdxfrw-tools-1.0.1+git.20220109-bp153.2.3.1 libdxfrw1-1.0.1+git.20220109-bp153.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 ppc64le s390x x86_64): librecad-2.2.0~rc3-bp153.2.3.1 librecad-debuginfo-2.2.0~rc3-bp153.2.3.1 librecad-debugsource-2.2.0~rc3-bp153.2.3.1 - openSUSE Backports SLE-15-SP3 (noarch): librecad-parts-2.2.0~rc3-bp153.2.3.1 References: https://www.suse.com/security/cve/CVE-2021-21898.html https://www.suse.com/security/cve/CVE-2021-21899.html https://www.suse.com/security/cve/CVE-2021-21900.html https://bugzilla.suse.com/1192936 https://bugzilla.suse.com/1192937 https://bugzilla.suse.com/1192938