Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered an out-of-bounds read vulnerability in Slic3r's library. Slic3r is an open-source 3-D printing toolbox, mainly utilized for translating assorted 3-D printing model file types into machine code for a specific printer. The software uses libslic3er to perform most of the non-GUI-based processes such as reading various file formats, converting formats and outputting appropriate gcode for selected 3-D printer settings. An adversary could send a target a specially crafted obj file to cause an out-of-bounds condition.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Slic3r to disclose these vulnerabilities and ensure that an update is available.
Vulnerability details
Slic3r libslic3r Obj File TriangleMesh::TriangleMesh() out-of-bounds read vulnerability (TALOS-2020-1213/CVE-2020-28590)
An out-of-bounds read vulnerability exists in the Obj File TriangleMesh::TriangleMesh() functionality of Slic3r libslic3r 1.3.0 and Master Commit 92abbc42. A specially crafted obj file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Versions tested
Talos tested and confirmed that these vulnerabilities affect Slic3r libslic3r, version 1.3.0 and Master Commit 92abbc42.
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 56721, 56722