Debian Security Advisory
DLA-2838-1 librecad -- LTS security update
- Date Reported:
- 03 Dec 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-21898, CVE-2021-21899, CVE-2021-21900.
- More information:
Several vulnerabilities were discovered in LibreCAD, an application for computer aided design (CAD) in two dimensions. An attacker could trigger code execution through malicious .dwg and .dxf files.
A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw. A specially-crafted .dwg file can lead to an out-of-bounds write.
A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw. A specially-crafted .dwg file can lead to a heap buffer overflow.
A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw. A specially-crafted .dxf file can lead to a use-after-free vulnerability.
For Debian 9 stretch, these problems have been fixed in version 2.1.2-1+deb9u2.
We recommend that you upgrade your librecad packages.
For the detailed security status of librecad please refer to its security tracker page at: https://security-tracker.debian.org/tracker/librecad
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS