CVE-2021-45342: 
NixOS vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in the CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older versions. The vulnerability was assigned CVE-2021-45342 and was publicly disclosed in December 2021. The issue affects all versions of LibreCAD up to and including version 2.2.0-rc3 (GitHub Issue).

The vulnerability exists in the CDataList entity deserialization functionality within LibreCAD's jwwlib component. Specifically, in the CDataList::Serialize() function, a fixed-size buffer of 512 bytes is declared, but no bounds checking is performed when reading data into this buffer. The CDataList entity provides its own size field, allowing an attacker to specify a size larger than the allocated buffer, resulting in a stack buffer overflow condition (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability allows an attacker to achieve Remote Code Execution (RCE) through a specially crafted JWW document. The attacker can gain control over the execution flow with direct control of the instruction pointer (EIP), enabling the execution of arbitrary code with the privileges of the current user (GitHub Issue).

The vulnerability has been fixed in subsequent releases of LibreCAD. Various distributions have released security updates to address this issue: Debian has fixed it in versions 2.1.3-1.2+deb10u1 for Buster and 2.1.3-1.3+deb11u1 for Bullseye (Debian Security), Fedora has addressed it in version 2.2.0-0.15.rc4.fc35 (Fedora Update), and Gentoo has fixed it in version 2.1.3-r7 (Gentoo Security).