Skip to content

Fix cve into assimp #1258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: rolling
Choose a base branch
from
Open

Fix cve into assimp #1258

wants to merge 3 commits into from

Conversation

mosfet80
Copy link
Contributor

@mosfet80 mosfet80 commented Aug 15, 2024
edited
Loading

Updated assimp .. is need to fix cve https://ubuntu.com/security/CVE-2024-40724
also fix Fixes GHSA-345v-qrhv-w227: Out-of-bounds Read in Assimp::CSMImporter::InternReadFile
Fixes GHSA-4p6w-747g-444c: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION
Fixes GHSA-6x45-4j6r-r8x8: out of bounds write by assigning to wrong array element count tracking
fix-GHSA-6r79-vpvw-rfjj:
Fixes GHSA-6r79-vpvw-rfjj: Heap-based Buffer Overflow in Assimp::LWO::AnimResolver::UpdateAnimRangeSetup

@mosfet80 mosfet80 requested a review from ahcorde as a code owner August 15, 2024 18:35
@MichaelOrlov
Copy link

@clalancette A friendly ping to follow up on this issue.

ahcorde
ahcorde requested changes Aug 23, 2024
View reviewed changes
Copy link
Contributor

@ahcorde ahcorde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should stick with the Ubuntu Noble version https://blueprints.launchpad.net/ubuntu/noble/+source/assimp which is 5.3.1

@mosfet80
Copy link
Contributor Author

the vulnerability has already been reported on the ubuntu site. https://bugs.launchpad.net/ubuntu/+source/assimp
..But ..the bug is being analyzed.

Since this is a security issue, we recommend using the secure version. The version also fixes issues when importing large CAD files.

@clalancette
Copy link
Contributor

We should stick with the Ubuntu Noble version https://blueprints.launchpad.net/ubuntu/noble/+source/assimp which is 5.3.1

In this particular case, because it is a CVE, I think we should consider updating it.

That said, the last time we did an update like this we caused a bunch of regressions, so I want to take a closer look before we change anything here.

@clalancette clalancette self-assigned this Aug 23, 2024
mosfet80 and others added 3 commits July 2, 2025 08:37
@mosfet80
Fix cve into assimp
adfc2e6 
Updated assimp .. is need to fix cve https://ubuntu.com/security/CVE-2024-40724

Signed-off-by: mosfet80 <[email protected]>
@mosfet80
Update CMakeLists.txt
a280bca
@mosfet80
Update CMakeLists.txt
165b215 
Fixes CVE-2025-2751: Out-of-bounds Read in Assimp::CSMImporter::InternReadFile 
Fixes CVE-2025-2757: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION 
Fixes CVE-2025-2750: out of bounds write by assigning to wrong array element count tracking 
fix-CVE-2025-3158: closes #6023 Fixes CVE-2025-3158: Heap-based Buffer Overflow in Assimp::LWO::AnimResolver::UpdateAnimRangeSetup by
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahcorde ahcorde ahcorde requested changes

Assignees

@clalancette clalancette

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mosfet80 @MichaelOrlov @clalancette @ahcorde