CVE-2021-21898: 
Linux Debian vulnerability analysis and mitigation

A code execution vulnerability (CVE-2021-21898) was discovered in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. The vulnerability allows an attacker to trigger an out-of-bounds write through a specially-crafted .dwg file (Talos Report, CVE Details).

The vulnerability exists in the dwgCompressor::decompress18() function where there's no check on the size of the length from litLength18() function before copying data, leading to a heap buffer overflow. The vulnerability has a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (Talos Report).

If exploited, this vulnerability could lead to code execution through an out-of-bounds write when processing specially-crafted .dwg files. An attacker can trigger this vulnerability by providing a malicious file to the application (CVE Details, Talos Report).

Multiple distributions have released patches to address this vulnerability. Debian released updates in version 2.1.3-1.2+deb10u1 for buster and 2.1.3-1.3+deb11u1 for bullseye. Fedora updated to libdxfrw-1.0.1 in both Fedora 34 and 35. Users are advised to upgrade to the latest version of the software (Debian Security, Fedora Update).