Hello Neil,
I'm triaging this vulnerability for Debian LTS / stretch.
It appears librecad is not affected (all dists):
- the package uses system dxflib, cf. debian/patches/debian_build.patch
- while there appears to be similar vulnerable code in
libraries/jwwlib/src/dl_jww-copy.cpp (grep for 'groupCode==42'), this
particular file is not used in the build process AFAICT
Can you confirm and update the security tracker accordingly?
Cheers!
Sylvain Beucler
Debian LTS Team
On Fri, 29 Apr 2022 11:09:43 +0100 Neil Williams <codeh...@debian.org>
wrote:
Source: librecad
Version: 2.1.3-3
Severity: important
Tags: security
X-Debbugs-Cc: codeh...@debian.org, Debian Security Team
<t...@security.debian.org>
Hi,
The following vulnerability was published for librecad.
CVE-2021-21897[0]:
| A code execution vulnerability exists in the
| DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib
| 3.17.0. A specially-crafted .dxf file can lead to a heap buffer
| overflow. An attacker can provide a malicious file to trigger this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21897
Please adjust the affected versions in the BTS as needed.
