CVE-2020-28623

Vulnerability

The vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1. Specifically, an out-of-bounds read occurs in Nef_S2/SNC_io_parser.h in the SNC_io_parser::read_facet() function when processing malformed .nef3 files. This issue is part of a larger set of code execution vulnerabilities in the Nef polygon parser, including type confusion and other OOB reads [1]. The parser is used for 2D and 3D Nef polygons and Nef polygons on a sphere [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted malformed .nef3 file to an application that uses the CGAL library for parsing Nef polygons. No authentication or user interaction is required beyond opening the file. The attack vector is network-based with low complexity [1]. The specific sequence involves the parser reading a facet and accessing fh->twin() without proper bounds checking, leading to an out-of-bounds read [1].

Impact

Successful exploitation can lead to an out-of-bounds read and type confusion, potentially resulting in arbitrary code execution. The CVSSv3 score is 10.0 (Critical) with network attack vector, low complexity, no privileges required, no user interaction, and a changed scope. The impact covers confidentiality, integrity, and availability (C:H/I:H/A:H) [1].

Mitigation

The CGAL project released a fix in version 5.4.1. Users should upgrade to CGAL >= 5.4.1 to mitigate these vulnerabilities [2]. For older versions, no known workaround exists [2]. Gentoo users can update via emerge --sync and emerge --ask --oneshot --verbose ">=sci-mathematics/cgal-5.4.1" [2].