Control: tags -1 + confirmed On Sun, 2021-10-10 at 14:58 +0200, Kristian Nielsen wrote: > This is a fix for two minor security issues in buster: > > https://security-tracker.debian.org/tracker/CVE-2020-28599 > https://security-tracker.debian.org/tracker/CVE-2020-28600 > > It was coordinated with the security team to take this through > buster-proposed-updates rather than handle through the security team. > > [ Impact ] > > In theory the bug could allow arbitrary code execution from loading a > carefully crafted STL file into desktop application openscad. > OpenSCAD is a > script language/compiler for programatically building 3D models, eg. > for > 3D-printing purposes. STL is a file format for storing 3D model data. > The > OpenSCAD language has functions for reading STL files. Thus to > exploit this > bug would involve a user loading or writing an openscad script which > references the malicious STL file. Thus not too likely a scenario, > but on > the other hand probably still well within what is considered a > security > issue nowadays. >
Please go ahead. Regards, Adam
