CVE-2020-35629

Name of the Vulnerable Software and Affected Versions CGAL libcgal version 5.1.1

Description The issue is related to multiple code execution vulnerabilities in the Nef polygon-parsing functionality of CGAL libcgal. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, potentially resulting in code execution. An attacker can provide malicious input to trigger these vulnerabilities. Specifically, an out-of-bounds read vulnerability exists in the SNC io parser<EW>::read sloop() function, which can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service using a specially crafted file.

Recommendations For CGAL libcgal version 5.1.1, consider disabling the SNC io parser<EW>::read sloop() function to prevent exploitation until a patch is available. Restrict access to the Nef S2/SNC io parser.h component to minimize the risk of exploitation. Avoid using the slh->facet() variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.