CVE-2020-28609

Name of the Vulnerable Software and Affected Versions CGAL libcgal version 5.1.1

Description The issue is related to multiple code execution vulnerabilities in the Nef polygon-parsing functionality of CGAL libcgal. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, potentially resulting in code execution. An attacker can provide malicious input to trigger these vulnerabilities. Specifically, an oob read vulnerability exists in the read face() function of PM io parser<PMDEC> in Nef 2/PM io parser.h, which is associated with unchecked array indexing. Exploitation of this vulnerability could allow a remote attacker to access confidential data, compromise data integrity, and cause a denial of service using a specially crafted file.

Recommendations For CGAL libcgal version 5.1.1, consider disabling the read face() function of PM io parser<PMDEC> in Nef 2/PM io parser.h as a temporary workaround until a patch is available. Restrict access to the Nef 2/PM io parser.h component to minimize the risk of exploitation. Avoid using the store iv() function in the affected PM io parser<PMDEC> until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.