[Inkscape-devel] Re: Further information about CVEs

-- Marc PS: I'm not extremely familiar with CVE severity computations, but the way I see it, "a userland desktop program with no network code is able to likely crash by trying to read in an uninitialized memory sector when it's being given a maliciously crafted file in an outdated windows-specific vector format" is not something that looks that scary? [1] we update the code from libuemf upstream from time to time, so it's quite likely it was fixed at some point there[4] [2] iirc there were no reproduction steps or vulnerable files [3] http://libuemf.sourceforge.net/ [4] cf their changelog in https://gitlab.com/inkscape/inkscape/-/blob/master/src/3rdparty/libuemf/READ... where quite a few things in fixing parsers could fix an oob read On 5/19/22 13:24, Thomas Leroy wrote: > Hi there, > > As you may know, 3 CVEs [0] [1] [2] have been assigned to Inkscape, > but there > are a very few information available. > The 3 CVE pages redirect to the same CISA page [3], mentioning > Inkscape version > 1.0 or later as fixed. Could you please confirm this information? > Moreover, in the case of backporting patches is preferred instead of > upgrading, > could you please point me to the fixing commits? That would be very > awesome.:) > > Best regards, > > Thomas > > [0]https://nvd.nist.gov/vuln/detail/CVE-2021-42700 > [1]https://nvd.nist.gov/vuln/detail/CVE-2021-42702 > [2]https://nvd.nist.gov/vuln/detail/CVE-2021-42704 > [3]https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-03 >