Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package assimp for openSUSE:Factory checked in at 2024-12-29 11:55:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/assimp (Old) and /work/SRC/openSUSE:Factory/.assimp.new.1881 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "assimp" Sun Dec 29 11:55:59 2024 rev:30 rq:1233500 version:5.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/assimp/assimp.changes 2024-09-18 15:27:10.509571260 +0200 +++ /work/SRC/openSUSE:Factory/.assimp.new.1881/assimp.changes 2024-12-29 11:56:01.710675203 +0100 @@ -1,0 +2,15 @@ +Fri Dec 27 08:05:57 UTC 2024 - Christophe Marin <christo...@krop.fr> + +- Add patches: + * 0001-Fix-leak-5762.patch + * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423) + * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424) + * CVE-2024-53425.patch (boo#1233633, CVE-2024-53425) + +------------------------------------------------------------------- +Wed Oct 30 09:42:38 UTC 2024 - Christophe Marin <christo...@krop.fr> + +- Add upstream change (boo#1232324, CVE-2024-48425) + * 0001-SplitLargeMeshes-Fix-crash-5799.patch + +------------------------------------------------------------------- New: ---- 0001-Fix-leak-5762.patch 0001-SplitLargeMeshes-Fix-crash-5799.patch CVE-2024-48423.patch CVE-2024-48424.patch CVE-2024-53425.patch BETA DEBUG BEGIN: New:- Add patches: * 0001-Fix-leak-5762.patch * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423) New:- Add upstream change (boo#1232324, CVE-2024-48425) * 0001-SplitLargeMeshes-Fix-crash-5799.patch New: * 0001-Fix-leak-5762.patch * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423) * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424) New: * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423) * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424) * CVE-2024-53425.patch (boo#1233633, CVE-2024-53425) New: * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424) * CVE-2024-53425.patch (boo#1233633, CVE-2024-53425) BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ assimp.spec ++++++ --- /var/tmp/diff_new_pack.VBopsr/_old 2024-12-29 11:56:02.558709979 +0100 +++ /var/tmp/diff_new_pack.VBopsr/_new 2024-12-29 11:56:02.562710143 +0100 @@ -22,9 +22,17 @@ Release: 0 Summary: Library to load and process 3D scenes from various data formats License: BSD-3-Clause AND MIT -Group: Development/Libraries/C and C++ URL: https://github.com/assimp/assimp Source0: %{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM +Patch0: 0001-SplitLargeMeshes-Fix-crash-5799.patch +# PATCH-FIX-UPSTREAM +Patch1: 0001-Fix-leak-5762.patch +Patch2: CVE-2024-48423.patch +# PATCH-FIX-UPSTREAM +Patch3: CVE-2024-48424.patch +# PATCH-FIX-UPSTREAM +Patch4: CVE-2024-53425.patch BuildRequires: cmake >= 3.22 BuildRequires: dos2unix BuildRequires: gcc-c++ @@ -42,7 +50,6 @@ %package -n libassimp%{sover} Summary: Library to load and process 3D scenes from various data formats -Group: System/Libraries %description -n libassimp%{sover} Assimp is a library to load and process geometric scenes from various data formats. @@ -53,7 +60,6 @@ %package devel Summary: Headers, docs and command-line utility for assimp -Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libassimp%{sover} = %{version} Requires: libstdc++-devel ++++++ 0001-Fix-leak-5762.patch ++++++ >From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001 From: Kim Kulling <kimkull...@users.noreply.github.com> Date: Sat, 7 Sep 2024 21:02:34 +0200 Subject: [PATCH] Fix leak (#5762) * Fix leak * Update utLogger.cpp --- code/Common/Assimp.cpp | 13 ++++++--- fuzz/assimp_fuzzer.cc | 2 +- test/CMakeLists.txt | 1 + test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 test/unit/Common/utLogger.cpp diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp index ef3ee7b5d..91896e405 100644 --- a/code/Common/Assimp.cpp +++ b/code/Common/Assimp.cpp @@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) { s->write(msg); } +static LogStream *DefaultStream = nullptr; + // ------------------------------------------------------------------------------------------------ ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) { aiLogStream sout; ASSIMP_BEGIN_EXCEPTION_REGION(); - LogStream *stream = LogStream::createDefaultStream(pStream, file); - if (!stream) { + if (DefaultStream == nullptr) { + DefaultStream = LogStream::createDefaultStream(pStream, file); + } + + if (!DefaultStream) { sout.callback = nullptr; sout.user = nullptr; } else { sout.callback = &CallbackToLogRedirector; - sout.user = (char *)stream; + sout.user = (char *)DefaultStream; } - gPredefinedStreams.push_back(stream); + gPredefinedStreams.push_back(DefaultStream); ASSIMP_END_EXCEPTION_REGION(aiLogStream); return sout; } diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc index 8178674e8..91ffd9d69 100644 --- a/fuzz/assimp_fuzzer.cc +++ b/fuzz/assimp_fuzzer.cc @@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. using namespace Assimp; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) { - aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL); + aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); aiAttachLogStream(&stream); Importer importer; diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 7b7fd850a..1a45adac7 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -100,6 +100,7 @@ SET( COMMON unit/Common/utBase64.cpp unit/Common/utHash.cpp unit/Common/utBaseProcess.cpp + unit/Common/utLogger.cpp ) SET(Geometry diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp new file mode 100644 index 000000000..932240a7f --- /dev/null +++ b/test/unit/Common/utLogger.cpp @@ -0,0 +1,52 @@ +/* +--------------------------------------------------------------------------- +Open Asset Import Library (assimp) +--------------------------------------------------------------------------- + +Copyright (c) 2006-2024, assimp team + +All rights reserved. + +Redistribution and use of this software in source and binary forms, +with or without modification, are permitted provided that the following +conditions are met: + +* Redistributions of source code must retain the above +copyright notice, this list of conditions and the +following disclaimer. + +* Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the +following disclaimer in the documentation and/or other +materials provided with the distribution. + +* Neither the name of the assimp team, nor the names of its +contributors may be used to endorse or promote products +derived from this software without specific prior +written permission of the assimp team. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +--------------------------------------------------------------------------- +*/ + +#include "UnitTestPCH.h" +#include <assimp/Importer.hpp> + +using namespace Assimp; +class utLogger : public ::testing::Test {}; + +TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) { + aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); + aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); + ASSERT_EQ(stream1.callback, stream2.callback); +} -- 2.47.1 ++++++ 0001-SplitLargeMeshes-Fix-crash-5799.patch ++++++ >From ecdf8d24b85367b22ba353b4f82299d4af7f1f97 Mon Sep 17 00:00:00 2001 From: Kim Kulling <kimkull...@users.noreply.github.com> Date: Mon, 7 Oct 2024 10:30:45 +0200 Subject: [PATCH] SplitLargeMeshes: Fix crash (#5799) - Fix nullptr access when rootnode of the scene is a nullptr. This can happen even if the scene stores any kind of meshes. closes https://github.com/assimp/assimp/issues/5791 --- code/PostProcessing/SplitLargeMeshes.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/code/PostProcessing/SplitLargeMeshes.cpp b/code/PostProcessing/SplitLargeMeshes.cpp index 3bee28521..cb9727651 100644 --- a/code/PostProcessing/SplitLargeMeshes.cpp +++ b/code/PostProcessing/SplitLargeMeshes.cpp @@ -100,6 +100,11 @@ void SplitLargeMeshesProcess_Triangle::SetupProperties( const Importer* pImp) { // ------------------------------------------------------------------------------------------------ // Update a node after some meshes have been split void SplitLargeMeshesProcess_Triangle::UpdateNode(aiNode* pcNode, const std::vector<std::pair<aiMesh*, unsigned int> >& avList) { + if (pcNode == nullptr) { + ASSIMP_LOG_WARN("UpdateNode skipped, nullptr detected."); + return; + } + // for every index in out list build a new entry std::vector<unsigned int> aiEntries; aiEntries.reserve(pcNode->mNumMeshes + 1); -- 2.47.0 ++++++ CVE-2024-48423.patch ++++++ >From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001 From: tyler92 <tyle...@inbox.ru> Date: Wed, 11 Dec 2024 12:17:14 +0200 Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918) The heap-use-after-free vulnerability occurs in the CallbackToLogRedirector function. During the process of logging, a previously freed memory region is accessed, leading to a use-after-free condition. This vulnerability stems from incorrect memory management, specifically, freeing a log stream and then attempting to access it later on. This patch sets NULL value for The DefaultStream global pointer. Co-authored-by: Kim Kulling <kimkull...@users.noreply.github.com> --- code/Common/Assimp.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp index 91896e4059..22e16bd36a 100644 --- a/code/Common/Assimp.cpp +++ b/code/Common/Assimp.cpp @@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) { DefaultLogger::get()->detachStream(it->second); delete it->second; + if ((Assimp::LogStream *)stream->user == DefaultStream) { + DefaultStream = nullptr; + } + gActiveLogStreams.erase(it); if (gActiveLogStreams.empty()) { ++++++ CVE-2024-48424.patch ++++++ >From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001 From: tyler92 <tyle...@inbox.ru> Date: Mon, 16 Dec 2024 23:48:45 +0200 Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919) Co-authored-by: Kim Kulling <kimkull...@users.noreply.github.com> --- contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp index 3d7dce45ec..26591b5ec8 100644 --- a/contrib/openddlparser/code/OpenDDLParser.cpp +++ b/contrib/openddlparser/code/OpenDDLParser.cpp @@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) { return Grammar::PrimitiveTypeToken[(size_t)type]; } -static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) { - if (callback) { - std::string full(in); - std::string part(full.substr(0, 50)); +static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) { + if (callback) {\ + std::string part(in.substr(0, 50)); std::stringstream stream; - stream << "Invalid token \"" << *in << "\" " + stream << "Invalid token \"" << in << "\" " << "(expected \"" << exp << "\") " << "in: \"" << part << "\""; callback(ddl_error_msg, stream.str()); @@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { } if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) { - logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback); + logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback); return nullptr; } @@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) { ++in; } } else { - ++in; - logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback); + logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback); error = true; return nullptr; } @@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) { in = lookForNextToken(in, end); if (in == end || *in != '}') { - logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback); + logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback); return nullptr; } else { //in++; ++++++ CVE-2024-53425.patch ++++++ >From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001 From: tyler92 <tyle...@inbox.ru> Date: Tue, 17 Dec 2024 19:57:54 +0200 Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd (#5921) Co-authored-by: Kim Kulling <kimkull...@users.noreply.github.com> --- code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp index 2de8d5033c..c5f108586e 100644 --- a/code/AssetLib/MD5/MD5Parser.cpp +++ b/code/AssetLib/MD5/MD5Parser.cpp @@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() { ReportError("MD5 version tag is unknown (10 is expected)"); } SkipLine(); - if (buffer == bufferEnd) { - return; - } // print the command line options to the console - // FIX: can break the log length limit, so we need to be careful char *sz = buffer; - while (!IsLineEnd(*buffer++)); + while (buffer < bufferEnd) { + if (IsLineEnd(*buffer++)) { + break; + } + } + + if (buffer == bufferEnd) { + return; + } ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz)))); SkipSpacesAndLineEnd();
