CVE-2020-28629

Vulnerability

An out-of-bounds read vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1. Specifically, in the file Nef_S2/SNC_io_parser.h, the function SNC_io_parser::read_sedge() dereferences seh->sprev() without proper bounds checking, leading to out-of-bounds read and type confusion [1]. This issue is part of a family of code execution vulnerabilities in the Nef polygon parsing code (including Nef_2, Nef_3, and Nef_S2) that can be triggered by a specially crafted malformed NEFFile [1].

Exploitation

An attacker can provide a malicious .nef3 or other Nef-format file to an application using the CGAL library [1]. No authentication or user interaction beyond opening the file is required. The vulnerability is reachable when CGAL's I/O parser processes the malformed file, causing an out-of-bounds read on seh->sprev() which can lead to type confusion and memory corruption [1].

Impact

Successful exploitation could allow an attacker to achieve code execution on the target system. The impact includes potential full compromise of confidentiality, integrity, and availability (CIA), as the CVSS score is 10.0 (Critical) [1]. Given the network attack vector and lack of privileges needed, this poses a high risk to systems using CGAL for processing untrusted geometric data.

Mitigation

The Gentoo security advisory recommends upgrading to CGAL version 5.4.1 or later [2]. No known workaround is available [2]. Users should apply the update to fix the vulnerability and other related CVEs. The vulnerability is also tracked in the Cisco Talos advisory TALOS-2020-1225 [1].