CVE-2020-28608

Name of the Vulnerable Software and Affected Versions CGAL versions prior to 5.1.1 CGAL libcgal version CGAL-5.1.1

Description The issue is related to the PM io parser<PMDEC>::read face() function in the Nef 2/PM io parser.h component of the CGAL library, which is used for computational geometry algorithms. This function has a problem with reading beyond the valid boundaries of a data buffer. An attacker, acting remotely, can exploit this to access confidential data, compromise its integrity, and cause a denial of service by using a specially crafted file. The vulnerability can be triggered by providing malicious input, leading to an out-of-bounds read and type confusion, potentially resulting in code execution.

Recommendations For CGAL versions prior to 5.1.1, consider disabling the PM io parser<PMDEC>::read face() function until a patch is available. For CGAL libcgal version CGAL-5.1.1, restrict access to the Nef 2/PM io parser.h component to minimize the risk of exploitation. Avoid using the store fc() function in the affected PM io parser<PMDEC>::read face() function until the issue is resolved.