Bug 830374 (CVE-2021-45948)

Summary:	<media-libs/assimp-5.2.2: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	proxy-maint, waebbl-gentoo
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/24485
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	829957, 835089
Bug Blocks:

Description Sam James archtester

2022-01-01 02:21:34 UTC

CVE-2021-45948 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416):

Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

---
There's a bunch of other oss-fuzz fixes in e.g. https://github.com/assimp/assimp/compare/d273a784d0859ad5ec68a5cb7774e5ba2081c5a4...3664fe20c07fdbd4d72c5caf68375b056806ab08
and in releases after what we have in tree.

CVE description ("5.1.0 and 5.1.1") seems wrong as the patches themselves for some of the referenced issues
are only in 5.1.0 up.

Comment 1 Larry the Git Cow gentoo-dev

2022-03-12 17:37:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e40531368c0cf5ae2d8326fdab7e5a5e67db438

commit 2e40531368c0cf5ae2d8326fdab7e5a5e67db438
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-03-11 11:55:51 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2022-03-12 17:30:30 +0000

    media-libs/assimp: bump to 5.2.2
    
    Removes the doc USE flag, because the documentation is no longer available
    as a pdf on the release page and building it is currently broken.
    
    Bug: https://github.com/assimp/assimp/issues/4439
    Bug: https://github.com/assimp/assimp/issues/4438
    Bug: https://github.com/assimp/assimp/issues/4334
    Bug: https://bugs.gentoo.org/830374
    Closes: https://bugs.gentoo.org/829957
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/24485
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 media-libs/assimp/Manifest                         |  1 +
 media-libs/assimp/assimp-5.2.2.ebuild              | 59 ++++++++++++++++++++++
 .../files/assimp-5.2.2-disable-failing-tests.patch | 52 +++++++++++++++++++
 ...ge-of-incompatible-minizip-data-structure.patch | 24 +++++++++
 media-libs/assimp/metadata.xml                     |  9 +++-
 5 files changed, 144 insertions(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2022-03-12 22:31:00 UTC

Thanks, please stable 5.2.2

Comment 3 Bernd 2022-06-26 06:43:15 UTC

The package has already been cleaned. Unfortunately I've overseen to add a reference for this bug.

https://github.com/gentoo/gentoo/pull/26058

Comment 4 John Helmert III archtester

2022-07-02 23:11:50 UTC

Thanks!

Comment 5 John Helmert III archtester

2022-09-27 01:24:04 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2022-10-16 14:39:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=58a9fe7b7a6a60d04a5e5c6cebc8aaaa055cf78d

commit 58a9fe7b7a6a60d04a5e5c6cebc8aaaa055cf78d
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-16 14:26:28 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-16 14:39:35 +0000

    [ GLSA 202210-01 ] Open Asset Import Library ("assimp"): Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/830374
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 7 John Helmert III archtester

2022-10-16 14:48:28 UTC

GLSA released, all done!