Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830374 (CVE-2021-45948) - <media-libs/assimp-5.2.2: Multiple vulnerabilities
Summary: <media-libs/assimp-5.2.2: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-45948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 829957 835089
Blocks:
  Show dependency tree
 
Reported: 2022-01-01 02:21 UTC by Sam James
Modified: 2022-07-02 23:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:21:34 UTC
CVE-2021-45948 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416):

Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

---
There's a bunch of other oss-fuzz fixes in e.g. https://github.com/assimp/assimp/compare/d273a784d0859ad5ec68a5cb7774e5ba2081c5a4...3664fe20c07fdbd4d72c5caf68375b056806ab08
and in releases after what we have in tree.

CVE description ("5.1.0 and 5.1.1") seems wrong as the patches themselves for some of the referenced issues
are only in 5.1.0 up.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-12 17:37:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e40531368c0cf5ae2d8326fdab7e5a5e67db438

commit 2e40531368c0cf5ae2d8326fdab7e5a5e67db438
Author:     Bernd Waibel <waebbl-gentoo@posteo.net>
AuthorDate: 2022-03-11 11:55:51 +0000
Commit:     Matthew Smith <matthew@gentoo.org>
CommitDate: 2022-03-12 17:30:30 +0000

    media-libs/assimp: bump to 5.2.2
    
    Removes the doc USE flag, because the documentation is no longer available
    as a pdf on the release page and building it is currently broken.
    
    Bug: https://github.com/assimp/assimp/issues/4439
    Bug: https://github.com/assimp/assimp/issues/4438
    Bug: https://github.com/assimp/assimp/issues/4334
    Bug: https://bugs.gentoo.org/830374
    Closes: https://bugs.gentoo.org/829957
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/24485
    Signed-off-by: Matthew Smith <matthew@gentoo.org>

 media-libs/assimp/Manifest                         |  1 +
 media-libs/assimp/assimp-5.2.2.ebuild              | 59 ++++++++++++++++++++++
 .../files/assimp-5.2.2-disable-failing-tests.patch | 52 +++++++++++++++++++
 ...ge-of-incompatible-minizip-data-structure.patch | 24 +++++++++
 media-libs/assimp/metadata.xml                     |  9 +++-
 5 files changed, 144 insertions(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-12 22:31:00 UTC
Thanks, please stable 5.2.2
Comment 3 Bernd 2022-06-26 06:43:15 UTC
The package has already been cleaned. Unfortunately I've overseen to add a reference for this bug.

https://github.com/gentoo/gentoo/pull/26058
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 23:11:50 UTC
Thanks!