CVE-2020-35633

Vulnerability

A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version CGAL-5.1.1. The flaw resides in the SNC_io_parser.h file, specifically in the read_sface() function and the store_sm_boundary_item() call for Edge_of. An out-of-bounds read occurs when parsing a specially crafted malformed .nef3 file, leading to type confusion. This vulnerability is part of a larger set of similar issues in the Nef parsing code [1].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted .nef3 file to an application using CGAL's Nef polygon parsing. No authentication or special network position is required; the attack can be delivered remotely if the application processes user-supplied files. The parsing of the malformed file triggers an out-of-bounds read, which then causes type confusion, potentially allowing the attacker to control execution flow [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the process using CGAL. The CVSSv3 score is 10.0 (Critical), indicating full compromise of confidentiality, integrity, and availability. The scope is changed, meaning the impact extends beyond the vulnerable component [1].

Mitigation

The vulnerability is fixed in CGAL version 5.4.1 and later. Users should upgrade to this version or newer. As of the Gentoo security advisory (GLSA 202305-34), no workaround is available [2]. Systems running CGAL-5.1.1 or earlier are vulnerable and should be updated immediately.