CVE-2020-35635

Vulnerability

The vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal version 5.1.1, specifically in Nef_S2/SNC_io_parser.h within the SNC_io_parser::read_sface() and store_sm_boundary_item() functions [1]. The code performs an out-of-bounds read during parsing of a specially crafted malformed .nef3 file, leading to a type confusion condition. This affects the handling of Nef polygons, which are geometric shapes supported by CGAL [1].

Exploitation

An attacker can trigger this vulnerability by providing a malicious malformed .nef3 file to an application or library that uses CGAL to parse such files. No authentication or user interaction beyond loading the file is required, as the bug is reachable through the standard file parsing path [1]. The attacker must craft the file to cause the parser to read beyond the bounds of an array, leading to type confusion [1].

Impact

Successful exploitation can lead to arbitrary code execution with the privileges of the process using CGAL. The out-of-bounds read and type confusion allow an attacker to corrupt memory and potentially execute arbitrary code [1]. The CVSS score of 10.0 indicates a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction, with impacts on confidentiality, integrity, and availability [1].

Mitigation

The Gentoo security advisory recommends upgrading to CGAL version 5.4.1 or later [2]. As of the publication date (2021-08-30), the fix is available in the latest upstream release. Users should update their CGAL library to the patched version to mitigate this vulnerability. No workaround is known aside from updating [2].