Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/assimp: security bump to v6.0.2

Browse Source 
For release notes since version 5.4.3, see:
https://github.com/assimp/assimp/releases

This fixes the following vulnerabilities:

- CVE-2025-2750:
    A vulnerability, which was classified as critical, was found in Open
    Asset Import Library Assimp 5.4.3. This affects the function
    Assimp::CSMImporter::InternReadFile of the file
    code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
    manipulation leads to out-of-bounds write. It is possible to initiate
    the attack remotely. The exploit has been disclosed to the public and
    may be used.
    https://www.cve.org/CVERecord?id=CVE-2025-2750

- CVE-2025-2751:
    A vulnerability has been found in Open Asset Import Library Assimp
    5.4.3 and classified as problematic. This vulnerability affects the
    function Assimp::CSMImporter::InternReadFile of the file
    code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
    manipulation of the argument na leads to out-of-bounds read. The
    attack can be initiated remotely. The exploit has been disclosed to
    the public and may be used.
    https://www.cve.org/CVERecord?id=CVE-2025-2751

- CVE-2025-2757:
    A vulnerability classified as critical was found in Open Asset Import
    Library Assimp 5.4.3. This vulnerability affects the function
    AI_MD5_PARSE_STRING_IN_QUOTATION of the file
    code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
    manipulation of the argument data leads to heap-based buffer overflow.
    The attack can be initiated remotely. The exploit has been disclosed
    to the public and may be used.
    https://www.cve.org/CVERecord?id=CVE-2025-2757

- CVE-2025-3158:
    A vulnerability, which was classified as critical, has been found in
    Open Asset Import Library Assimp 5.4.3. Affected by this issue is the
    function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file
    code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler.
    The manipulation leads to heap-based buffer overflow. It is possible
    to launch the attack on the local host. The exploit has been disclosed
    to the public and may be used.
    https://www.cve.org/CVERecord?id=CVE-2025-3158

Also, drop local security patches that have been applied upstream

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to relase notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Titouan Christophe
2025-07-18 17:19:53 +02:00
committed by Julien Olivain
parent 24639e0f72
commit 3c312f149b
6 changed files with 2 additions and 260 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
package/assimp/0001-Fix-leak-5762.patch
View File

@@ -1,139 +0,0 @@
From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Sat, 7 Sep 2024 21:02:34 +0200
Subject: [PATCH] Fix leak (#5762)
* Fix leak
* Update utLogger.cpp
Upstream: https://github.com/assimp/assimp/commit/4024726eca89331503bdab33d0b9186e901bbc45
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
code/Common/Assimp.cpp | 13 ++++++---
fuzz/assimp_fuzzer.cc | 2 +-
test/CMakeLists.txt | 1 +
test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++
4 files changed, 63 insertions(+), 5 deletions(-)
create mode 100644 test/unit/Common/utLogger.cpp
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index ef3ee7b5d..91896e405 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) {
s->write(msg);
}
+static LogStream *DefaultStream = nullptr;
+
// ------------------------------------------------------------------------------------------------
ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) {
aiLogStream sout;
ASSIMP_BEGIN_EXCEPTION_REGION();
- LogStream *stream = LogStream::createDefaultStream(pStream, file);
- if (!stream) {
+ if (DefaultStream == nullptr) {
+ DefaultStream = LogStream::createDefaultStream(pStream, file);
+ }
+
+ if (!DefaultStream) {
sout.callback = nullptr;
sout.user = nullptr;
} else {
sout.callback = &CallbackToLogRedirector;
- sout.user = (char *)stream;
+ sout.user = (char *)DefaultStream;
}
- gPredefinedStreams.push_back(stream);
+ gPredefinedStreams.push_back(DefaultStream);
ASSIMP_END_EXCEPTION_REGION(aiLogStream);
return sout;
}
diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc
index 8178674e8..91ffd9d69 100644
--- a/fuzz/assimp_fuzzer.cc
+++ b/fuzz/assimp_fuzzer.cc
@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
using namespace Assimp;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) {
- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL);
+ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
aiAttachLogStream(&stream);
Importer importer;
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index 7b7fd850a..1a45adac7 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -100,6 +100,7 @@ SET( COMMON
unit/Common/utBase64.cpp
unit/Common/utHash.cpp
unit/Common/utBaseProcess.cpp
+ unit/Common/utLogger.cpp
)
SET(Geometry
diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp
new file mode 100644
index 000000000..932240a7f
--- /dev/null
+++ b/test/unit/Common/utLogger.cpp
@@ -0,0 +1,52 @@
+/*
+---------------------------------------------------------------------------
+Open Asset Import Library (assimp)
+---------------------------------------------------------------------------
+
+Copyright (c) 2006-2024, assimp team
+
+All rights reserved.
+
+Redistribution and use of this software in source and binary forms,
+with or without modification, are permitted provided that the following
+conditions are met:
+
+* Redistributions of source code must retain the above
+copyright notice, this list of conditions and the
+following disclaimer.
+
+* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the
+following disclaimer in the documentation and/or other
+materials provided with the distribution.
+
+* Neither the name of the assimp team, nor the names of its
+contributors may be used to endorse or promote products
+derived from this software without specific prior
+written permission of the assimp team.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+---------------------------------------------------------------------------
+*/
+
+#include "UnitTestPCH.h"
+#include <assimp/Importer.hpp>
+
+using namespace Assimp;
+class utLogger : public ::testing::Test {};
+
+TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) {
+ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+ ASSERT_EQ(stream1.callback, stream2.callback);
+}
--
2.39.5

39
package/assimp/0002-Fix-use-after-free-in-the-CallbackToLogRedirector-59.patch
View File

@@ -1,39 +0,0 @@
From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001
From: tyler92 <tyler92@inbox.ru>
Date: Wed, 11 Dec 2024 12:17:14 +0200
Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918)
The heap-use-after-free vulnerability occurs in the
CallbackToLogRedirector function. During the process of logging,
a previously freed memory region is accessed, leading to a
use-after-free condition. This vulnerability stems from incorrect
memory management, specifically, freeing a log stream and then
attempting to access it later on.
This patch sets NULL value for The DefaultStream global pointer.
Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
Upstream: https://github.com/assimp/assimp/commit/f12e52198669239af525e525ebb68407977f8e34
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
code/Common/Assimp.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
index 91896e405..22e16bd36 100644
--- a/code/Common/Assimp.cpp
+++ b/code/Common/Assimp.cpp
@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) {
DefaultLogger::get()->detachStream(it->second);
delete it->second;
+ if ((Assimp::LogStream *)stream->user == DefaultStream) {
+ DefaultStream = nullptr;
+ }
+
gActiveLogStreams.erase(it);
if (gActiveLogStreams.empty()) {
--
2.39.5

29
package/assimp/0003-ASE-fix-possible-out-of-bound-access.patch
View File

@@ -1,29 +0,0 @@
From 65c95bf3207b81fe522811d45780d72ed41d9c1e Mon Sep 17 00:00:00 2001
From: Kim Kulling <kim.kulling@googlemail.com>
Date: Wed, 12 Mar 2025 20:17:38 +0100
Subject: [PATCH] ASE: Fix possible out of bound access.
Upstream: https://github.com/assimp/assimp/pull/6045
CVE: CVE-2025-3015
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
code/AssetLib/ASE/ASELoader.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp
index eb6b37dc9b..c63edcf6bf 100644
--- a/code/AssetLib/ASE/ASELoader.cpp
+++ b/code/AssetLib/ASE/ASELoader.cpp
@@ -731,6 +731,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) {
unsigned int iCurrent = 0, fi = 0;
for (std::vector<ASE::Face>::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) {
for (unsigned int n = 0; n < 3; ++n, ++iCurrent) {
+ const uint32_t curIndex = (*i).mIndices[n];
+ if (curIndex >= mesh.mPositions.size()) {
+ throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, ".");
+ }
mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]];
// add texture coordinates

41
package/assimp/0004-MDL-limit-max-texture-sizes.patch
View File

@@ -1,41 +0,0 @@
From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001
From: Kim Kulling <kimkulling@users.noreply.github.com>
Date: Wed, 12 Mar 2025 21:29:33 +0100
Subject: [PATCH] MDL: Limit max texture sizes
- closes https://github.com/assimp/assimp/issues/6022
Upstream: https://github.com/assimp/assimp/pull/6046
CVE: CVE-2025-3016
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp
index 2cac8a1e26..2e09992e89 100644
--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp
+++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp
@@ -209,6 +209,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData,
return;
}
+static const uint32_t MaxTextureSize = 4096;
+
// ------------------------------------------------------------------------------------------------
// Load color data of a texture and convert it to our output format
void MDLImporter::ParseTextureColorData(const unsigned char *szData,
@@ -219,6 +221,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData,
// allocate storage for the texture image
if (do_read) {
+ // check for max texture sizes
+ if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) {
+ throw DeadlyImportError("Invalid MDL file. A texture is too big.");
+ }
+
if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) {
throw DeadlyImportError("Invalid MDL file. A texture is too big.");
}

2
package/assimp/assimp.hash
View File

@@ -1,3 +1,3 @@
# Locally calculated
sha256 66dfbaee288f2bc43172440a55d0235dfc7bf885dda6435c038e8000e79582cb assimp-5.4.3.tar.gz
sha256 d1822d9a19c9205d6e8bc533bf897174ddb360ce504680f294170cc1d6319751 assimp-6.0.2.tar.gz
sha256 147874443d242b4e2bae97036e26ec9d6b37f706174c1bd5ecfcc8c1294cef51 LICENSE

12
package/assimp/assimp.mk
View File

@@ -4,7 +4,7 @@
#
################################################################################
ASSIMP_VERSION = 5.4.3
ASSIMP_VERSION = 6.0.2
ASSIMP_SITE = $(call github,assimp,assimp,v$(ASSIMP_VERSION))
ASSIMP_LICENSE = BSD-3-Clause
ASSIMP_LICENSE_FILES = LICENSE
@@ -12,16 +12,6 @@ ASSIMP_CPE_ID_VENDOR = assimp
ASSIMP_DEPENDENCIES = zlib
ASSIMP_INSTALL_STAGING = YES
# 0001-Fix-leak-5762.patch
# 0002-Fix-use-after-free-in-the-CallbackToLogRedirector-59.patch
ASSIMP_IGNORE_CVES += CVE-2024-48423
# 0003-ASE-fix-possible-out-of-bound-access.patch
ASSIMP_IGNORE_CVES += CVE-2025-3015
# 0004-MDL-limit-max-texture-sizes.patch
ASSIMP_IGNORE_CVES += CVE-2025-3016
# relocation truncated to fit: R_68K_GOT16O. We also need to disable
# optimizations to not run into "Error: value -43420 out of range"
# assembler issues.