Synopsis
The remote openSUSE host is missing one or more security updates.
Description
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21346-1 advisory.
Changes in libredwg:
- Update to snapshot 0.14.8413
* fix dwg_next_entity NULL pointer dereference [CVE-2026-15184, boo#1271170]
* Fix dwg_bmp thumbnail overflow checks [CVE-2026-15181, boo#1271169]
* Resolve NULL pointer dereference (SEGV) in match_BLOCK_HEADER [CVE-2026-9529, boo#1266380]
* Added DXB (binary DXF) support: dwgwrite/dwgread/dwg2dxf accept DXB input/output, and dxfwrite accepts DXB.
* Minor features:
* R2007+ split string stream encoding for Header, Classes, and objects.
* Added cycle checks in entity link chains.
* Added release helpers and improved CI (ODAFileConverter QT6, xvfb-run).
* dwgfuzz: show mode with --version.
- update to 0.14:
* Write support for r2004 (AC1018) DWG files. The encoder now produces compressed, encrypted section headers and the LZ77-compressed object data layout required since r2004.
* Split large object files (encode, decode) into 2 objects, significantly reducing peak memory usage during compilation and enabling parallel builds to scale better.
* dwgadd: handle fields (e.g. layer, ltype, style) can now be set by table-record name in addition to raw handle references.
A string value like `line.layer = FOO` is resolved via dwg_find_tablehandle() at parse time.
* Added DXB (binary DXF) support: dwgwrite/dwgread/dwg2dxf accept DXB input/output, and dxfwrite accepts DXB.
* R2007+ split string stream encoding for Header, Classes, and objects.
* Added cycle checks in entity link chains. GH #1226.
* Added regression tests for decompress_r2007 OOB reads and R2004 section decompression. Added dwgfilter.test.
* Added release helpers and improved CI (ODAFileConverter QT6, xvfb-run).
* dwgfuzz: show mode with --version.
* API/ABI changes (source-incompatible):
* Renamed HEADER/2NDHEADER.is_maint to maint_rel_version.
* Renamed PROXY_OBJECT.dwg_versions.
* Bumped SO_VERSION to 0:14:0.
- Update to snapshot 0.13.4.8200
* Write support for r2004 (AC1018) DWG files. The encoder now produces compressed, encrypted section headers and the LZ77-compressed object data layout required since r2004.
* Split large object files (encode, decode) into 2 objects, significantly reducing peak memory usage during compilation and enabling parallel builds to scale better.
* dwgadd: handle fields (e.g. layer, ltype, style) can now be set by table-record name in addition to raw handle references. A string value like `line.layer = FOO` is resolved via dwg_find_tablehandle() at parse time.
* Fix decompress_R2004_section buffer overflow [CVE-2026-9501, CVE-2026-9502, CVE-2026-9529, CVE-2026-9530, boo#1266377, boo#1266378, boo#1266380, boo#1266287]
* Fix dwg_next_entity NULL pointer dereference [CVE-2026-9503, boo#1266379]
* Fix NULL pointer dereferences in DXF output for corrupted DWG input [CVE-2026-9504, boo#1266321]
* decode: fix decompression overflow [CVE-2026-9605, boo#1266365]
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected libredwg-devel, libredwg-tools and / or libredwg0 packages.
Plugin Details
File Name: openSUSE-2026-21346-1.nasl
Agent: unix
Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:libredwg-tools, cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:libredwg0, p-cpe:/a:novell:opensuse:libredwg-devel
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 7/13/2026
Vulnerability Publication Date: 5/25/2026