What Are You Looking For?

Sign Up
MGASA-2021-0368 - Updated lib3mf packages fix security vulnerability

Publication date: 25 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0368.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-21772

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP()
functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can
lead to code execution. An attacker can provide a malicious file to trigger
this vulnerability (CVE-2021-21772).

A new package 'act' is introduced to build newer version of lib3mf.

Also, openscad is rebuilt against this updated library.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29018
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WDGGB65YBQL662M3MOBNNJJNRNURW4TG/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21772

SRPMS:
- 8/core/lib3mf-2.1.1-1.mga8
- 8/core/act-1.6.0-4.mga8
- 8/core/openscad-2021.01-1.2.mga8

Mageia 2021-0368: lib3mf security update

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0

Summary

A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2021-21772).
A new package 'act' is introduced to build newer version of lib3mf.
Also, openscad is rebuilt against this updated library.

References

- https://bugs.mageia.org/show_bug.cgi?id=29018

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WDGGB65YBQL662M3MOBNNJJNRNURW4TG/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21772

Resolution

MGASA-2021-0368 - Updated lib3mf packages fix security vulnerability

SRPMS

- 8/core/lib3mf-2.1.1-1.mga8

- 8/core/act-1.6.0-4.mga8

- 8/core/openscad-2021.01-1.2.mga8

Severity
Publication date: 25 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0368.html
Type: security
CVE: CVE-2021-21772

Related News

From Heartbleed to Now: Evolving Threats in OpenSSL and How to Guard Against Them

Nov 17, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Nov 25, 2023

Severe Chromium Bug Threatens Sensitive Data, System Availability

Nov 13, 2023

News

Advisories

HOWTOs

Features

Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses
Scanning and Defending Networks with Nmap
CISA Issues Urgent Warning Over Active Exploitation of Looney Tunables glibc Bug

About Us

Powered By

Footer Logo