Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).
There's a bunch of other oss-fuzz fixes in e.g. https://github.com/assimp/assimp/compare/d273a784d0859ad5ec68a5cb7774e5ba2081c5a4...3664fe20c07fdbd4d72c5caf68375b056806ab08
and in releases after what we have in tree.
CVE description ("5.1.0 and 5.1.1") seems wrong as the patches themselves for some of the referenced issues
are only in 5.1.0 up.
The bug has been referenced in the following commit(s):
Author: Bernd Waibel <email@example.com>
AuthorDate: 2022-03-11 11:55:51 +0000
Commit: Matthew Smith <firstname.lastname@example.org>
CommitDate: 2022-03-12 17:30:30 +0000
media-libs/assimp: bump to 5.2.2
Removes the doc USE flag, because the documentation is no longer available
as a pdf on the release page and building it is currently broken.
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Bernd Waibel <email@example.com>
Signed-off-by: Matthew Smith <firstname.lastname@example.org>
media-libs/assimp/Manifest | 1 +
media-libs/assimp/assimp-5.2.2.ebuild | 59 ++++++++++++++++++++++
.../files/assimp-5.2.2-disable-failing-tests.patch | 52 +++++++++++++++++++
...ge-of-incompatible-minizip-data-structure.patch | 24 +++++++++
media-libs/assimp/metadata.xml | 9 +++-
5 files changed, 144 insertions(+), 1 deletion(-)
Thanks, please stable 5.2.2
The package has already been cleaned. Unfortunately I've overseen to add a reference for this bug.