CVE-2021-44962: 
Linux Debian vulnerability analysis and mitigation

An out-of-bounds read vulnerability exists in the GCode::extrude() functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. The vulnerability was discovered in December 2021 and affects the 3D printing software Slic3r. A specially crafted STL file could lead to information disclosure when processed by the affected versions (CVE Details, Debian Tracker).

The vulnerability occurs in the GCode::extrude() function when processing STL files with the --export-gcode argument. The function attempts to access the second to last element of paths.back().polyline.points on line 430 in GCode.cpp. While a polyline should contain more than 2 points by definition, certain input STL files can cause the std::vector length to be equal to or less than 2, leading to an out-of-bounds read on the heap (HackMD Report).

The vulnerability can cause an unexpected access on heap memory, potentially leading to information disclosure. When exploited, the vulnerability results in a heap-buffer-overflow condition that could expose sensitive information from memory (HackMD Report).

As of the vulnerability disclosure, the affected versions include Slic3r libslic3r 1.3.0 and Master Commit b1a5500. The Debian security tracker indicates that the vulnerability remains unfixed in several distributions including bookworm, bullseye, and sid (Debian Tracker).