CVE-2021-45948 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416): Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). --- There's a bunch of other oss-fuzz fixes in e.g. https://github.com/assimp/assimp/compare/d273a784d0859ad5ec68a5cb7774e5ba2081c5a4...3664fe20c07fdbd4d72c5caf68375b056806ab08 and in releases after what we have in tree. CVE description ("5.1.0 and 5.1.1") seems wrong as the patches themselves for some of the referenced issues are only in 5.1.0 up.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e40531368c0cf5ae2d8326fdab7e5a5e67db438 commit 2e40531368c0cf5ae2d8326fdab7e5a5e67db438 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2022-03-11 11:55:51 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-03-12 17:30:30 +0000 media-libs/assimp: bump to 5.2.2 Removes the doc USE flag, because the documentation is no longer available as a pdf on the release page and building it is currently broken. Bug: https://github.com/assimp/assimp/issues/4439 Bug: https://github.com/assimp/assimp/issues/4438 Bug: https://github.com/assimp/assimp/issues/4334 Bug: https://bugs.gentoo.org/830374 Closes: https://bugs.gentoo.org/829957 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/24485 Signed-off-by: Matthew Smith <matthew@gentoo.org> media-libs/assimp/Manifest | 1 + media-libs/assimp/assimp-5.2.2.ebuild | 59 ++++++++++++++++++++++ .../files/assimp-5.2.2-disable-failing-tests.patch | 52 +++++++++++++++++++ ...ge-of-incompatible-minizip-data-structure.patch | 24 +++++++++ media-libs/assimp/metadata.xml | 9 +++- 5 files changed, 144 insertions(+), 1 deletion(-)
Thanks, please stable 5.2.2
The package has already been cleaned. Unfortunately I've overseen to add a reference for this bug. https://github.com/gentoo/gentoo/pull/26058
Thanks!
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=58a9fe7b7a6a60d04a5e5c6cebc8aaaa055cf78d commit 58a9fe7b7a6a60d04a5e5c6cebc8aaaa055cf78d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-16 14:26:28 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-16 14:39:35 +0000 [ GLSA 202210-01 ] Open Asset Import Library ("assimp"): Multiple Vulnerabilities Bug: https://bugs.gentoo.org/830374 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!