CVE-2020-28607

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1. Specifically, the PM_io_parser::read_face() function in Nef_2/PM_io_parser.h fails to properly validate array indices when processing a specially crafted malformed .nef3 file. This can lead to type confusion and out-of-bounds memory access. The affected code is part of the CGAL library used for geometric algorithms [1].

Exploitation

An attacker can provide a maliciously crafted Nef polygon file (e.g., .nef3) to any application or service that processes such files using CGAL-5.1.1. No authentication or special privileges are required; exploitation can occur over a network if the application accepts user-supplied files. The attacker triggers the vulnerability by causing the parser to read beyond allocated memory during read_face(), leading to type confusion. The exact sequence of steps is part of the malformed file's structure [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the affected process. The CVSS score of 10.0 indicates full compromise of confidentiality, integrity, and availability, with no user interaction or privileges required [1][2].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to at least this version. For Gentoo Linux, the fixed package is available as sci-mathematics/cgal-5.4.1 [2]. No workarounds are known; if upgrading is not possible, avoid processing untrusted Nef polygon files.