Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308033 (CVE-2010-0280) - <media-libs/lib3ds-2.0.0_rc1: Array index error (CVE-2010-0280)
Summary: <media-libs/lib3ds-2.0.0_rc1: Array index error (CVE-2010-0280)
Alias: CVE-2010-0280
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2010-03-06 15:19 UTC by Stefan Behte (RETIRED)
Modified: 2014-05-18 17:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

lib3ds-2.0.0_rc1.ebuild.patch (lib3ds-2.0.0_rc1.ebuild.patch,560 bytes, patch)
2013-09-18 12:02 UTC, Iván Atienza
no flags Details | Diff
build.log (build.log,20.82 KB, text/x-log)
2013-09-18 15:25 UTC, Iván Atienza
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:19:00 UTC
CVE-2010-0280 (
  Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in
  Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a
  denial of service (memory corruption) or possibly execute arbitrary
  code via crafted structures in a 3DS file, probably related to mesh.c.
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 11:03:29 UTC
According to this is fixed in version 2.0 Release Candidate 1, which is tagged in the upstream repo:

Maintainers, please provide an updated ebuild for this security issue.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 02:08:27 UTC
@games: ping, need a bump.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-17 21:21:16 UTC
Security bumped. Arches, please stabilize:
Target arches: amd64 ppc ppc64 x86
Comment 4 Iván Atienza 2013-09-18 12:02:50 UTC
Created attachment 358922 [details, diff]

=media-libs/lib3ds-2.0.0_rc1 fails compile here ~amd64 if not eutoreconf because of links in the examples i think. i attach the patch.

Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-18 14:56:18 UTC
I couldn't reproduce that behavior here, could you please attach a full build.log?
Comment 6 Iván Atienza 2013-09-18 15:25:27 UTC
Created attachment 358940 [details]

here it is.

Comment 7 Agostino Sarubbo gentoo-dev 2013-09-21 08:52:25 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-21 08:52:47 UTC
x86 stable
Comment 9 David Kredba 2013-09-21 10:56:44 UTC
@Iván Atienza

Thank you. Not knowing that I killed examples directory in all source autotool files to get it built :-).
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-22 12:13:23 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-22 12:45:32 UTC
ppc stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 23:28:47 UTC
GLSA drafted and ready for review. 

Maintainers, please drop the vulnerable version.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-01-13 17:01:41 UTC
Maintainers are there any reasons we need to keep 1.3.0 around as it is still vulnerable?
Comment 14 Mr. Bones. (RETIRED) gentoo-dev 2014-01-13 17:46:30 UTC
Did anyone confirm that lib3ds-2 doesn't break any of the packages that use lib3ds?
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-03-07 13:24:08 UTC
@maintainers: can we clean lib3ds-1.3.0. This has been in cleanup mode for approximately 6 months. Will clean in 15 days if no response is given.
Comment 16 Mr. Bones. (RETIRED) gentoo-dev 2014-03-07 18:11:45 UTC
it's gone
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-03-16 13:16:54 UTC
Maintainer(s), Thank you for cleanup!
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:51:43 UTC
This issue was resolved and addressed in
 GLSA 201405-23 at
by GLSA coordinator Sean Amoss (ackle).