Hi Helmut, On Thu, Jun 23, 2022 at 8:33 PM Helmut Grohne <hel...@subdivi.de> wrote: > I've been looking into updating openscad in buster to fix CVE-2022-0496 > and CVE-2022-0497. They're already fixed in bullseye and later. They are > input sanitization issues and CVE-2022-0496 needed a little porting of > the patch. I verified that the provided PoCs for CVE-2022-0496 do > trigger in an asan/ubsan build and no longer trigger after applying the > patch. The provided PoC for CVE-2022-0497 did not trigger in an > asan/ubsan build, but the fix is quite obvious and the PoC looks quite > sensitive to the memory layout, so that's unsurprising. Beyond the > build-time test suite, autopkgtests also pass. > > Given the buster -> LTS transition, I'm unsure where to upload this to. > Adam's mail seems to indicate that it's late for the point release.
It should go to buster p-u if you really want to fix it but it doesn't warrant a separate stretch or LTS upload because this is marked as "unimportant". It's really a crash in the CLI tool so no security impact that way. The security team has triaged this. Let me know if you have any further questions. - u
