CVE-2022-45748: An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp. Unfixed, even though one might read the CVE otherwise.
We can manually disable the COLLADA importer and/or exporter. If I read the CVE correctly, only the importer seems to be affected, correct me, if I'm wrong. To be on the safe side, we can disable both for the time being.
I agree that it *looks* like the bug is in importer functionality based on the backtraces in the bug, but I don't have any familiarity with this software.
I disable both. Some more tests are failing due to poor test design, when these options are disabled, which I also need to take care of.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abea5e37fe1b382f5809945fef52c18306cea76c commit abea5e37fe1b382f5809945fef52c18306cea76c Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2023-01-23 18:15:48 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-02-05 09:12:52 +0000 media-libs/assimp: don't build COLLADA module Avoid a security issue when processing COLLADA files. Don't build the module until fixed upstream. Need to drop additional collada related tests as well. Bug: https://github.com/assimp/assimp/issues/4286 Bug: https://bugs.gentoo.org/891787 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/29231 Signed-off-by: Joonas Niilola <juippis@gentoo.org> ...{assimp-5.2.5.ebuild => assimp-5.2.5-r1.ebuild} | 4 ++++ .../files/assimp-5.2.5-disable-collada-tests.patch | 28 ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce431172cf05980f2631ee625acb8597ed392876 commit ce431172cf05980f2631ee625acb8597ed392876 Author: Bernd Waibel <waebbl-gentoo@posteo.net> AuthorDate: 2023-02-07 18:51:30 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-02-07 19:14:03 +0000 media-libs/assimp: drop 5.2.4-r1 Bug: https://bugs.gentoo.org/891787 Signed-off-by: Bernd Waibel <waebbl-gentoo@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/29469 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-libs/assimp/Manifest | 1 - media-libs/assimp/assimp-5.2.4-r1.ebuild | 67 --------- .../files/assimp-5.2.2-disable-failing-tests.patch | 52 ------- ...ge-of-incompatible-minizip-data-structure.patch | 24 --- ...p-5.2.4-drop-failing-tests-for-abi_x86_32.patch | 165 --------------------- .../assimp/files/assimp-5.2.4-update-version.patch | 34 ----- 6 files changed, 343 deletions(-)
Thanks!
The bug is closed as fixed upstream. It seems to me, that disabling collada should have been reverted already for assimp-5.3.1.ebuild
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71a7f1d715e4937c8057995ca40cb0c7f57a1e82 commit 71a7f1d715e4937c8057995ca40cb0c7f57a1e82 Author: Paul Zander <negril.nx+gentoo@gmail.com> AuthorDate: 2024-08-25 12:00:51 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-09-22 16:25:08 +0000 media-libs/assimp: add 5.4.2-r1 re-enable opencollada via USE flag, change SLOT Bug 891787 (CVE-2022-45748) has been fixed since `5.2.5-r1`, so we can re-enable opencollada support and make it optional via `collada` USE flag. Mask on loong and riscv for now until opencollada is cleaned up and re-keyworded. Bug: https://bugs.gentoo.org/891787#c7 Signed-off-by: Paul Zander <negril.nx+gentoo@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-libs/assimp/assimp-5.4.2-r1.ebuild | 127 +++++++++++++++++++++++++++++++ media-libs/assimp/metadata.xml | 1 + profiles/arch/loong/package.use.mask | 4 + profiles/arch/riscv/package.use.mask | 4 + 4 files changed, 136 insertions(+)
