CVE-2020-28604: 
Linux Debian vulnerability analysis and mitigation

Multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. The vulnerability was discovered in February 2021 and affects the polygon-parsing code found in CGAL/include/CGAL/Nef2, CGAL/include/CGAL/Nef3, and CGAL/include/CGAL/NefS2 ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1225)).

The vulnerability exists in the parsing code for Nef polygons, specifically in the PMioparser::readhedge() function. When reading edge data from input files, the code fails to properly validate array indices before using them to access vector elements. This leads to out-of-bounds reads and type confusion issues when dereferencing object pointers. The vulnerability has a CVSS v3 score of 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is classified as CWE-129 (Improper Validation of Array Index) ([Talos](https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1225)).

The vulnerability could allow an attacker to execute arbitrary code by providing malicious input files. The out-of-bounds reads and type confusion issues can lead to memory corruption and potential code execution in the context of the current process (Talos).

The vulnerability has been fixed in updated versions of the software. Users are recommended to upgrade to CGAL version 5.4.1 or later. For Debian 10 (buster), the fix is available in version 4.13-1+deb10u1 (Gentoo Security, Debian LTS).