CVE-2022-0496

Vulnerability

The vulnerability resides in the DXF import functionality of OpenSCAD, specifically in src/dxfdata.cc [1][2]. When a DXF file with particular (not necessarily malformed) properties is imported using import(), the code fails to validate line indices retrieved from a grid data structure. This leads to an out-of-bounds memory access on lines 470, 475, 505, or 510 of dxfdata.cc [3]. Affected versions include the Linux build from commit eedf370 and the Windows x64 release 2021.01 [3].

Exploitation

An attacker can exploit this vulnerability by providing a crafted DXF file that, when imported, triggers the out-of-bounds read. The condition occurs when multiple line segments share common points and are merged into contiguous paths via the ADD_LINE macro; this can cause grid data entries to point to an invalid line index [3]. Proof-of-concept files are available that reliably reproduce the crash [3]. No authentication or special privileges are required; the victim need only open the file in OpenSCAD or run it headlessly with openscad --export-format stl [3].

Impact

The out-of-bounds access is a read-only violation; it does not allow arbitrary code execution or data modification [3]. However, such a read can be leveraged to bypass security mechanisms like stack canaries and pointer encryption, potentially aiding further exploitation [3]. The most immediate impact is application crash (segmentation fault), resulting in a denial of service [3].

Mitigation

OpenSCAD released fixes via commits 00a4692989 [1] and 770e3234 [2] on August 29, 2022, which add bounds checks for line indices before use. Users should upgrade to a version containing these commits. If an immediate upgrade is not possible, avoid importing untrusted DXF files. Red Hat notes the issue does not affect commercially supported Red Hat products [4].