diff -Nru openscad-2019.01~RC2/debian/changelog openscad-2019.01~RC2/debian/changelog --- openscad-2019.01~RC2/debian/changelog 2019-02-27 18:13:00.000000000 +0100 +++ openscad-2019.01~RC2/debian/changelog 2021-10-08 14:05:21.000000000 +0200 @@ -1,3 +1,10 @@ +openscad (2019.01~RC2-2+deb10u1) buster; urgency=medium + + * Fix buffer overflows in STL parser (CVE-2020-28599 and + CVE-2020-28600) (Closes: #996020). + + -- Kristian Nielsen Fri, 08 Oct 2021 14:05:21 +0200 + openscad (2019.01~RC2-2) unstable; urgency=medium * Update build-dependency for renamed libqscintilla2-qt5-dev diff -Nru openscad-2019.01~RC2/debian/patches/fix_stl_import.patch openscad-2019.01~RC2/debian/patches/fix_stl_import.patch --- openscad-2019.01~RC2/debian/patches/fix_stl_import.patch 1970-01-01 01:00:00.000000000 +0100 +++ openscad-2019.01~RC2/debian/patches/fix_stl_import.patch 2021-10-08 14:05:21.000000000 +0200 @@ -0,0 +1,330 @@ +From: Kristian Nielsen +Date: Fri, 8 Oct 2021 14:00:22 +0200 +Subject: Fix buffer overflow in stl parser + +This patch fixes CVE-2020-28599 and CVE-2020-28600, both buffer +overflows in the STL parser. It is a backport of the upstream fix. + +Forwarded: not-needed +--- + +Index: openscad-2019.01~RC2/testdata/scad/stl/stl-import-invalidvertex.scad +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/scad/stl/stl-import-invalidvertex.scad +@@ -0,0 +1 @@ ++import("../../stl/invalidvertex.stl"); +Index: openscad-2019.01~RC2/testdata/scad/stl/stl-import-toomanyvertices.scad +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/scad/stl/stl-import-toomanyvertices.scad +@@ -0,0 +1 @@ ++import("../../stl/toomanyvertices.stl"); +Index: openscad-2019.01~RC2/testdata/scad/stl/stl-import-unparseable.scad +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/scad/stl/stl-import-unparseable.scad +@@ -0,0 +1 @@ ++import("../../stl/unparsable.stl"); +Index: openscad-2019.01~RC2/testdata/stl/invalidvertex.stl +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/stl/invalidvertex.stl +@@ -0,0 +1,100 @@ ++solid OpenSCAD_Model ++ facet normal -0 0 1 ++ outer loop ++ vertex 0 10 10 ++ vertex 10 0 10 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 0 0 1 ++ outer loop ++ vertex 10 0 10 ++ vertex 0 10 10 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal 0 0 -1 ++ outer loop ++ vertex 0 0 0 ++ vertex 10 10 0 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal -0 0 -1 ++ outer loop ++ vertex 10 10 0 ++ vertex 0 0 0 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal 0 -1 0 ++ outer loop ++ vertex 0 0 0 ++ vertex 10 0 10 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal 0 -1 -0 ++ outer loop ++ vertex 10 0 10 ++ vertex 0 0 0 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal 1 -0 0 ++ outer loop ++ vertex 10 0 10 ++ vertex 10 10 0 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 1 0 0 ++ outer loop ++ vertex 10 10 0 ++ vertex 10 0 10 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal 0 1 -0 ++ outer loop ++ vertex 10 10 0 ++ vertex 0 10 10 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 0 1 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 10 10 0 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal -1 0 0 ++ outer loop ++ vertex 0 0 0 ++ vertex 0 10 10 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal -1 -0 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 0 0 0 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal -1 -0 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 0 0 blah ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal -1 -0 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 0 0 0 ++ vertex 0 0 10 ++ endloop ++ endfacet ++endsolid OpenSCAD_Model +Index: openscad-2019.01~RC2/testdata/stl/toomanyvertices.stl +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/stl/toomanyvertices.stl +@@ -0,0 +1,94 @@ ++solid OpenSCAD_Model ++ facet normal -0 0 1 ++ outer loop ++ vertex 0 10 10 ++ vertex 10 0 10 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 0 0 1 ++ outer loop ++ vertex 10 0 10 ++ vertex 0 10 10 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal 0 0 -1 ++ outer loop ++ vertex 0 0 0 ++ vertex 10 10 0 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal -0 0 -1 ++ outer loop ++ vertex 10 10 0 ++ vertex 0 0 0 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal 0 -1 0 ++ outer loop ++ vertex 0 0 0 ++ vertex 10 0 10 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal 0 -1 -0 ++ outer loop ++ vertex 10 0 10 ++ vertex 0 0 0 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal 1 -0 0 ++ outer loop ++ vertex 10 0 10 ++ vertex 10 10 0 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 1 0 0 ++ outer loop ++ vertex 10 10 0 ++ vertex 10 0 10 ++ vertex 10 0 0 ++ endloop ++ endfacet ++ facet normal 0 1 -0 ++ outer loop ++ vertex 10 10 0 ++ vertex 0 10 10 ++ vertex 10 10 10 ++ endloop ++ endfacet ++ facet normal 0 1 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 10 10 0 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal -1 0 0 ++ outer loop ++ vertex 0 0 0 ++ vertex 0 10 10 ++ vertex 0 10 0 ++ endloop ++ endfacet ++ facet normal -1 -0 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 0 0 0 ++ vertex 0 0 10 ++ endloop ++ endfacet ++ facet normal -1 -0 0 ++ outer loop ++ vertex 0 10 10 ++ vertex 0 0 0 ++ vertex 0 0 10 ++ vertex 0 0 10 ++ endloop ++ endfacet ++endsolid OpenSCAD_Model +Index: openscad-2019.01~RC2/testdata/stl/unparseable.stl +=================================================================== +--- /dev/null ++++ openscad-2019.01~RC2/testdata/stl/unparseable.stl +@@ -0,0 +1,9 @@ ++solid STL generated by MeshLab ++ facet normal 0.000000e+00 1.000000e+00 0.000000e+00 ++ outer loop ++ vertex 2.000000e+0  2.000000e+01 2.000000e+01 ++ vertex 2.000000e+01 2.000000e+01 0.000000e+00 ++ vertex 0.000000e+00 2.000000e+01 0.000000e+00 ++ endloop foo ++ endfacet bar ++endsolid some blah blah +Index: openscad-2019.01~RC2/tests/CMakeLists.txt +=================================================================== +--- openscad-2019.01~RC2.orig/tests/CMakeLists.txt ++++ openscad-2019.01~RC2/tests/CMakeLists.txt +@@ -1073,10 +1071,18 @@ list(APPEND CGALPNGTEST_3D_FILES ${CMAKE + ${CMAKE_SOURCE_DIR}/../testdata/scad/misc/preview_variable.scad + ) + ++# test importing unparseable files, result will be an empty image ++list(APPEND STL_IMPORT_FILES ++ ${CMAKE_CURRENT_SOURCE_DIR}/../testdata/scad/stl/stl-import-invalidvertex.scad ++ ${CMAKE_CURRENT_SOURCE_DIR}/../testdata/scad/stl/stl-import-toomanyvertices.scad ++ ${CMAKE_CURRENT_SOURCE_DIR}/../testdata/scad/stl/stl-import-unparseable.scad ++ ) ++ + list(APPEND CGALPNGTEST_FILES ${CGALPNGTEST_2D_FILES} ${CGALPNGTEST_3D_FILES}) + list(APPEND OPENCSGTEST_FILES ${CGALPNGTEST_FILES}) + list(APPEND OPENCSGTEST_FILES ${CMAKE_SOURCE_DIR}/../testdata/scad/bugs/intersection-prune-test.scad) + list(APPEND THROWNTOGETHERTEST_FILES ${OPENCSGTEST_FILES}) ++list(APPEND OPENCSGTEST_FILES ${STL_IMPORT_FILES}) + + list(APPEND CGALSTLSANITYTEST_FILES ${CMAKE_SOURCE_DIR}/../testdata/scad/misc/normal-nan.scad) + +Index: openscad-2019.01~RC2/src/import_stl.cc +=================================================================== +--- openscad-2019.01~RC2.orig/src/import_stl.cc ++++ openscad-2019.01~RC2/src/import_stl.cc +@@ -88,12 +88,17 @@ PolySet *import_stl(const std::string &f + f.read(data, 5); + if (!binary && !f.eof() && f.good() && !memcmp(data, "solid", 5)) { + int i = 0; ++ int lineno = 1; + double vdata[3][3]; + std::string line; + std::getline(f, line); + while (!f.eof()) { ++ lineno++; + std::getline(f, line); + boost::trim(line); ++ if (line.length() == 0) { ++ continue; ++ } + if (boost::regex_search(line, ex_sfe)) { + continue; + } +@@ -101,23 +106,27 @@ PolySet *import_stl(const std::string &f + i = 0; + continue; + } ++ if (i >= 3) { ++ PRINTB("ERROR: STL line %d, extra vertex line '%s' importing file '%s'", lineno % line % filename); ++ delete p; ++ return new PolySet(3); ++ } + boost::smatch results; + if (boost::regex_search(line, results, ex_vertices)) { + try { + for (int v=0;v<3;v++) { + vdata[i][v] = boost::lexical_cast(results[v+1]); + } +- } +- catch (const boost::bad_lexical_cast &blc) { +- PRINTB("WARNING: Can't parse vertex line '%s', import() at line %d", line % loc.firstLine()); +- i = 10; +- continue; +- } +- if (++i == 3) { +- p->append_poly(); +- p->append_vertex(vdata[0][0], vdata[0][1], vdata[0][2]); +- p->append_vertex(vdata[1][0], vdata[1][1], vdata[1][2]); +- p->append_vertex(vdata[2][0], vdata[2][1], vdata[2][2]); ++ if (++i == 3) { ++ p->append_poly(); ++ p->append_vertex(vdata[0][0], vdata[0][1], vdata[0][2]); ++ p->append_vertex(vdata[1][0], vdata[1][1], vdata[1][2]); ++ p->append_vertex(vdata[2][0], vdata[2][1], vdata[2][2]); ++ } ++ } catch (const boost::bad_lexical_cast& blc) { ++ PRINTB("ERROR: STL line %d, can't parse vertex line '%s' importing file '%s'", lineno % line % filename); ++ delete p; ++ return new PolySet(3); + } + } + } diff -Nru openscad-2019.01~RC2/debian/patches/series openscad-2019.01~RC2/debian/patches/series --- openscad-2019.01~RC2/debian/patches/series 2019-02-26 22:56:44.000000000 +0100 +++ openscad-2019.01~RC2/debian/patches/series 2021-10-08 14:05:21.000000000 +0200 @@ -7,3 +7,4 @@ Use_python3.patch Make-sure-mainFilePath-is-absolute-from-the-start-of-pars.patch Use-an-absolute-path-for-OPENSCAD_FONT_PATH-in-testsuite.patch +fix_stl_import.patch diff -Nru openscad-2019.01~RC2/debian/source/include-binaries openscad-2019.01~RC2/debian/source/include-binaries --- openscad-2019.01~RC2/debian/source/include-binaries 1970-01-01 01:00:00.000000000 +0100 +++ openscad-2019.01~RC2/debian/source/include-binaries 2021-10-08 14:05:21.000000000 +0200 @@ -0,0 +1,3 @@ +tests/regression/opencsgtest/stl-import-invalidvertex-expected.png +tests/regression/opencsgtest/stl-import-toomanyvertices-expected.png +tests/regression/opencsgtest/stl-import-unparseable-expected.png Binary files /tmp/SKA1vkTXqX/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-invalidvertex-expected.png and /tmp/nOQPnbFQo4/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-invalidvertex-expected.png differ Binary files /tmp/SKA1vkTXqX/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-toomanyvertices-expected.png and /tmp/nOQPnbFQo4/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-toomanyvertices-expected.png differ Binary files /tmp/SKA1vkTXqX/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-unparseable-expected.png and /tmp/nOQPnbFQo4/openscad-2019.01~RC2/tests/regression/opencsgtest/stl-import-unparseable-expected.png differ