CVE-2020-28601

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version CGAL-5.1.1. Specifically, in the file Nef_2/PM_io_parser.h, the function PM_io_parser::read_vertex() performs an array index operation on Face_of[] without proper bounds checking, leading to an OOB read. This occurs when parsing a specially crafted .nef file (Nef polygon format). The vulnerability is classified as CWE-129 (Improper Validation of Array Index) [1].

Exploitation

An attacker can exploit this vulnerability by providing a malicious .nef file to an application that uses the CGAL library to parse Nef polygons. No authentication or user interaction beyond opening the file is required. The attacker must craft the file such that the read_vertex() function accesses an index outside the bounds of the Face_of[] array, triggering the OOB read. This can lead to memory corruption and potentially code execution [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution in the context of the process using CGAL. The CVSSv3 score is 10.0 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating full compromise of confidentiality, integrity, and availability without any privileges or user interaction [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to the latest version. The Gentoo security advisory (GLSA 202305-34) recommends upgrading to >=sci-mathematics/cgal-5.4.1 [4]. No workaround is known for this issue [4].