CVE-2020-28608: 
Linux Debian vulnerability analysis and mitigation

Multiple code execution vulnerabilities exist in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. The vulnerability was discovered in February 2021 and affects the polygon parsing code found in CGAL/include/CGAL/Nef2, CGAL/include/CGAL/Nef3, and CGAL/include/CGAL/NefS2 directories ([Talos Intelligence](https://talosintelligence.com/vulnerabilityreports/TALOS-2020-1225)).

The vulnerability exists in the polygon-parsing code that handles Nef polygon data structures. When parsing .nef3 files, the code reads indices from the file and uses them directly as array indices without proper bounds checking. This leads to out-of-bounds memory access when processing malformed input files. The vulnerability has been assigned CWE-129 (Improper Validation of Array Index) and received a CVSSv3 score of 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicating critical severity (Talos Intelligence).

The vulnerability could allow an attacker to achieve code execution by providing specially crafted malformed input files. The out-of-bounds reads and type confusion issues could lead to arbitrary code execution in applications using the affected CGAL library (Gentoo Security).

The vulnerabilities have been fixed in updated versions of CGAL. Users should upgrade to CGAL version 5.4.1 or later. For Debian 10 (buster), the fix is available in version 4.13-1+deb10u1 (Debian LTS).