From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6FC0C158095 for ; Thu, 4 Aug 2022 14:12:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 38B14E0CCB; Thu, 4 Aug 2022 14:05:50 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D4D86E07E1 for ; Thu, 4 Aug 2022 13:52:31 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id BE65E34113C for ; Thu, 4 Aug 2022 13:52:30 +0000 (UTC) Received: from [172.24.0.3] (unknown [172.24.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id A43B99D98E for ; Thu, 4 Aug 2022 13:52:30 +0000 (-00) Subject: [gentoo-announce] [ GLSA 202208-01 ] 3MF Consortium lib3mf: Remote code execution Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============5801856407675628283==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Thu, 04 Aug 2022 13:52:30 -0000 Message-ID: <165962115066.8.17943197254093983020@e7cbb8eca0f2> X-Archives-Salt: 9351b3a5-a323-4948-a801-4671394d3968 X-Archives-Hash: 142694647a1c9149f19bb96896a2ddc2 --===============5801856407675628283== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: 3MF Consortium lib3mf: Remote code execution Date: August 04, 2022 Bugs: #775362 ID: 202208-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in lib3mf could lead to remote code execution. Background ========== lib3mf is an implementation of the 3D Manufacturing Format file standard. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/lib3mf < 2.1.1 >= 2.1.1 Description =========== Incorrect memory handling within lib3mf could result in a use-after- free. Impact ====== An attacker that can provide malicious input to an application using 3MF Consortium's lib3mf could achieve remote code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All 3MF Consortium lib3mf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/lib3mf-2.1.1" References ========== [ 1 ] CVE-2021-21772 https://nvd.nist.gov/vuln/detail/CVE-2021-21772 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202208-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============5801856407675628283== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmLrzx4ACgkQFMQkOaVy +9l8xw//VkioDNow8qxc40+6tWm+9YfweDWgqgI9uW4brI1glSKJQmK5SmBcRKnH 9MEwdpB80P1iYhr39diX1cRUNkBUpoP/N40XkcbvIlZt6GccJBcQl6FMkHazgl4I 5/zjNWYYucX4yUlDBWSYx9XagOO2Dcz9Xy5c96u6JD/LN4vWCf1eAj3MJCkTWmua Qbj/hHbzIHewJcxdv5/yCfmEoSK/MnaIejlQ7noGRULOBlWmZTYjzKKskrOVd2dy p68RML3xGNwiHjHRF/ACcVaAYkEoYvT8AfeKJhI1L5tSh2xjaDQPt1RqDkuX4bBm YShNrilqAIH1IRGLTNmNzUWE1XTrt9ye0TPEcsORXIARNstnZuV1LoyHfA0DYITC OP+EqZGfJr42rpPt7xfOiaig24RpWYH6I3J/KrSyrFgZwp3QYz+PA29ylxSZYkmt a4sWW7tDXlr/Rvmk/x4if0JGpGVNOerNfITmmdFHq+v1hJJ+yPGXlhm0p5aPCyoA 03JRZOIhzgGaTx8DODUe3wVA4ynfhaq+RXtCq1k/9aL23O4a/eHuMTpW+ylTPjzu tfygxtFkRBul4583xk+gzcX34Grn3YAWtJMIV88pCYfcbbo44Qm3J4UQ1mXm1rIS onx/YHVIwlXYcNPbReGQZM6u4ES/nNTZFAejued6Dk9LVKdWphY= =yWxA -----END PGP SIGNATURE----- --===============5801856407675628283==--