{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for libredwg","title":"Title of the patch"},{"category":"description","text":"This update for libredwg fixes the following issues:\n\nlibredwg was updated to release 0.10:\n\nAPI breaking changes:\n\n* Added a new int *isnewp argument to all dynapi utf8text\n  getters, if the returned string is freshly malloced or not.\n* removed the UNKNOWN supertype, there are only UNKNOWN_OBJ and\n  UNKNOWN_ENT left, with common_entity_data.\n* renamed BLOCK_HEADER.preview_data to preview,\n  preview_data_size to preview_size.\n* renamed SHAPE.shape_no to style_id.\n* renamed CLASS.wasazombie to is_zombie.\n\nBugfixes:\n\n* Harmonized INDXFB with INDXF, removed extra src/in_dxfb.c.\n* Fixed encoding of added r2000 AUXHEADER address.\n* Fixed EED encoding from dwgrewrite.\n* Add several checks against\n    [CVE-2020-6609, boo#1160520], [CVE-2020-6610, boo#1160522],\n    [CVE-2020-6611, boo#1160523], [CVE-2020-6612, boo#1160524],\n    [CVE-2020-6613, boo#1160525], [CVE-2020-6614, boo#1160526],\n    [CVE-2020-6615, boo#1160527]","title":"Description of the patch"},{"category":"details","text":"openSUSE-2020-96","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_0096-1.json"},{"category":"self","summary":"URL for openSUSE-SU-2020:0096-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SECBSD34W2KNYYJEF4TYMEZJKZ4FZ4PV/"},{"category":"self","summary":"E-Mail link for openSUSE-SU-2020:0096-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SECBSD34W2KNYYJEF4TYMEZJKZ4FZ4PV/"},{"category":"self","summary":"SUSE Bug 1160520","url":"https://bugzilla.suse.com/1160520"},{"category":"self","summary":"SUSE Bug 1160522","url":"https://bugzilla.suse.com/1160522"},{"category":"self","summary":"SUSE Bug 1160523","url":"https://bugzilla.suse.com/1160523"},{"category":"self","summary":"SUSE Bug 1160524","url":"https://bugzilla.suse.com/1160524"},{"category":"self","summary":"SUSE Bug 1160525","url":"https://bugzilla.suse.com/1160525"},{"category":"self","summary":"SUSE Bug 1160526","url":"https://bugzilla.suse.com/1160526"},{"category":"self","summary":"SUSE Bug 1160527","url":"https://bugzilla.suse.com/1160527"},{"category":"self","summary":"SUSE CVE CVE-2020-6609 page","url":"https://www.suse.com/security/cve/CVE-2020-6609/"},{"category":"self","summary":"SUSE CVE CVE-2020-6610 page","url":"https://www.suse.com/security/cve/CVE-2020-6610/"},{"category":"self","summary":"SUSE CVE CVE-2020-6611 page","url":"https://www.suse.com/security/cve/CVE-2020-6611/"},{"category":"self","summary":"SUSE CVE CVE-2020-6612 page","url":"https://www.suse.com/security/cve/CVE-2020-6612/"},{"category":"self","summary":"SUSE CVE CVE-2020-6613 page","url":"https://www.suse.com/security/cve/CVE-2020-6613/"},{"category":"self","summary":"SUSE CVE CVE-2020-6614 page","url":"https://www.suse.com/security/cve/CVE-2020-6614/"},{"category":"self","summary":"SUSE CVE CVE-2020-6615 page","url":"https://www.suse.com/security/cve/CVE-2020-6615/"}],"title":"Security update for libredwg","tracking":{"current_release_date":"2020-01-22T23:11:47Z","generator":{"date":"2020-01-22T23:11:47Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2020:0096-1","initial_release_date":"2020-01-22T23:11:47Z","revision_history":[{"date":"2020-01-22T23:11:47Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"libredwg-devel-0.10-lp151.2.6.1.x86_64","product":{"name":"libredwg-devel-0.10-lp151.2.6.1.x86_64","product_id":"libredwg-devel-0.10-lp151.2.6.1.x86_64"}},{"category":"product_version","name":"libredwg-tools-0.10-lp151.2.6.1.x86_64","product":{"name":"libredwg-tools-0.10-lp151.2.6.1.x86_64","product_id":"libredwg-tools-0.10-lp151.2.6.1.x86_64"}},{"category":"product_version","name":"libredwg0-0.10-lp151.2.6.1.x86_64","product":{"name":"libredwg0-0.10-lp151.2.6.1.x86_64","product_id":"libredwg0-0.10-lp151.2.6.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"openSUSE Leap 15.1","product":{"name":"openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"libredwg-devel-0.10-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64"},"product_reference":"libredwg-devel-0.10-lp151.2.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"libredwg-tools-0.10-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64"},"product_reference":"libredwg-tools-0.10-lp151.2.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"},{"category":"default_component_of","full_product_name":{"name":"libredwg0-0.10-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1","product_id":"openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"},"product_reference":"libredwg0-0.10-lp151.2.6.1.x86_64","relates_to_product_reference":"openSUSE Leap 15.1"}]},"vulnerabilities":[{"cve":"CVE-2020-6609","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6609"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in read_pages_map in decode_r2007.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6609","url":"https://www.suse.com/security/cve/CVE-2020-6609"},{"category":"external","summary":"SUSE Bug 1160520 for CVE-2020-6609","url":"https://bugzilla.suse.com/1160520"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"important"}],"title":"CVE-2020-6609"},{"cve":"CVE-2020-6610","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6610"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6610","url":"https://www.suse.com/security/cve/CVE-2020-6610"},{"category":"external","summary":"SUSE Bug 1160522 for CVE-2020-6610","url":"https://bugzilla.suse.com/1160522"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"moderate"}],"title":"CVE-2020-6610"},{"cve":"CVE-2020-6611","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6611"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has a NULL pointer dereference in get_next_owned_entity in dwg.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6611","url":"https://www.suse.com/security/cve/CVE-2020-6611"},{"category":"external","summary":"SUSE Bug 1160523 for CVE-2020-6611","url":"https://bugzilla.suse.com/1160523"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"moderate"}],"title":"CVE-2020-6611"},{"cve":"CVE-2020-6612","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6612"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in copy_compressed_bytes in decode_r2007.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6612","url":"https://www.suse.com/security/cve/CVE-2020-6612"},{"category":"external","summary":"SUSE Bug 1160524 for CVE-2020-6612","url":"https://bugzilla.suse.com/1160524"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"important"}],"title":"CVE-2020-6612"},{"cve":"CVE-2020-6613","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6613"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in bit_search_sentinel in bits.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6613","url":"https://www.suse.com/security/cve/CVE-2020-6613"},{"category":"external","summary":"SUSE Bug 1160525 for CVE-2020-6613","url":"https://bugzilla.suse.com/1160525"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"important"}],"title":"CVE-2020-6613"},{"cve":"CVE-2020-6614","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6614"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has a heap-based buffer over-read in bfr_read in decode.c.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6614","url":"https://www.suse.com/security/cve/CVE-2020-6614"},{"category":"external","summary":"SUSE Bug 1160526 for CVE-2020-6614","url":"https://bugzilla.suse.com/1160526"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":8.1,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"important"}],"title":"CVE-2020-6614"},{"cve":"CVE-2020-6615","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-6615"}],"notes":[{"category":"general","text":"GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in dwg_dynapi_entity_value in dynapi.c (dynapi.c is generated by gen-dynapi.pl).","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2020-6615","url":"https://www.suse.com/security/cve/CVE-2020-6615"},{"category":"external","summary":"SUSE Bug 1160527 for CVE-2020-6615","url":"https://bugzilla.suse.com/1160527"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","version":"3.1"},"products":["openSUSE Leap 15.1:libredwg-devel-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg-tools-0.10-lp151.2.6.1.x86_64","openSUSE Leap 15.1:libredwg0-0.10-lp151.2.6.1.x86_64"]}],"threats":[{"category":"impact","date":"2020-01-22T23:11:47Z","details":"moderate"}],"title":"CVE-2020-6615"}]}