Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830374 (CVE-2021-45948) - <media-libs/assimp-5.2.2: Multiple vulnerabilities
Summary: <media-libs/assimp-5.2.2: Multiple vulnerabilities
Alias: CVE-2021-45948
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: 829957 835089
  Show dependency tree
Reported: 2022-01-01 02:21 UTC by Sam James
Modified: 2022-07-02 23:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:21:34 UTC
CVE-2021-45948 (

Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

There's a bunch of other oss-fuzz fixes in e.g.
and in releases after what we have in tree.

CVE description ("5.1.0 and 5.1.1") seems wrong as the patches themselves for some of the referenced issues
are only in 5.1.0 up.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-12 17:37:16 UTC
The bug has been referenced in the following commit(s):

commit 2e40531368c0cf5ae2d8326fdab7e5a5e67db438
Author:     Bernd Waibel <>
AuthorDate: 2022-03-11 11:55:51 +0000
Commit:     Matthew Smith <>
CommitDate: 2022-03-12 17:30:30 +0000

    media-libs/assimp: bump to 5.2.2
    Removes the doc USE flag, because the documentation is no longer available
    as a pdf on the release page and building it is currently broken.
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernd Waibel <>
    Signed-off-by: Matthew Smith <>

 media-libs/assimp/Manifest                         |  1 +
 media-libs/assimp/assimp-5.2.2.ebuild              | 59 ++++++++++++++++++++++
 .../files/assimp-5.2.2-disable-failing-tests.patch | 52 +++++++++++++++++++ | 24 +++++++++
 media-libs/assimp/metadata.xml                     |  9 +++-
 5 files changed, 144 insertions(+), 1 deletion(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-12 22:31:00 UTC
Thanks, please stable 5.2.2
Comment 3 Bernd 2022-06-26 06:43:15 UTC
The package has already been cleaned. Unfortunately I've overseen to add a reference for this bug.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 23:11:50 UTC