Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package assimp for openSUSE:Factory checked in at 2026-06-03 20:21:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/assimp (Old) and /work/SRC/openSUSE:Factory/.assimp.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "assimp" Wed Jun 3 20:21:06 2026 rev:38 rq:1356936 version:6.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/assimp/assimp.changes 2026-05-10 16:47:26.966631042 +0200 +++ /work/SRC/openSUSE:Factory/.assimp.new.1937/assimp.changes 2026-06-03 20:21:24.818677420 +0200 @@ -1,0 +2,9 @@ +Wed Jun 3 10:22:04 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-10197: Affected is the function glTF2Importer:ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp. manipulation results in null pointer dereference [bsc#1266996] + * assimp-CVE-2026-10197.patch + CVE-2026-10199: Affected by this issue is the function glTF2:LazyDict in the library glTF2Asset.h. Manipulation of the argument operator[] leads to null pointer dereference [bsc#1266998] + * assimp-CVE-2026-10199.patch + +------------------------------------------------------------------- @@ -504,0 +514 @@ +- fixes CVE-2025-11277 [bsc#1251019] New: ---- assimp-CVE-2026-10197.patch assimp-CVE-2026-10199.patch ----------(New B)---------- New: CVE-2026-10197: Affected is the function glTF2Importer:ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp. manipulation results in null pointer dereference [bsc#1266996] * assimp-CVE-2026-10197.patch CVE-2026-10199: Affected by this issue is the function glTF2:LazyDict in the library glTF2Asset.h. Manipulation of the argument operator[] leads to null pointer dereference [bsc#1266998] New: CVE-2026-10199: Affected by this issue is the function glTF2:LazyDict in the library glTF2Asset.h. Manipulation of the argument operator[] leads to null pointer dereference [bsc#1266998] * assimp-CVE-2026-10199.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ assimp.spec ++++++ --- /var/tmp/diff_new_pack.nYdeiC/_old 2026-06-03 20:21:25.994726207 +0200 +++ /var/tmp/diff_new_pack.nYdeiC/_new 2026-06-03 20:21:25.998726373 +0200 @@ -28,6 +28,10 @@ Patch0: 0001-Accept-find_package-Assimp-5.x-calls.patch # PATCH-FIX-UPSTREAM -- CVE-2025-70067 Patch1: CVE-2025-70067.patch +# CVE-2026-10199: Affected by this issue is the function glTF2:LazyDict in the library glTF2Asset.h. Manipulation of the argument operator[] leads to null pointer dereference [bsc#1266998] +Patch2: assimp-CVE-2026-10199.patch +# CVE-2026-10197: Affected is the function glTF2Importer:ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp. manipulation results in null pointer dereference [bsc#1266996] +Patch3: assimp-CVE-2026-10197.patch BuildRequires: cmake >= 3.22 BuildRequires: gcc-c++ BuildRequires: pkgconfig ++++++ assimp-CVE-2026-10197.patch ++++++ >From d81f4921ff271e92bc2118de71f502a6f69382c8 Mon Sep 17 00:00:00 2001 From: SAY-5 <[email protected]> Date: Mon, 11 May 2026 21:10:33 -0700 Subject: [PATCH] Fix glTF2 ImportEmbeddedTextures NULL deref when mimeType lacks '/' ImportEmbeddedTextures did strchr(mimeType, '/') + 1 and then null-checked the offset pointer, so a mimeType without a slash produced the bogus address 0x1 and the subsequent strncmp dereferenced it. Check the strchr result before applying the offset. Fixes #6608 Signed-off-by: SAY-5 <[email protected]> --- code/AssetLib/glTF2/glTF2Importer.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) Index: assimp-6.0.5/code/AssetLib/glTF2/glTF2Importer.cpp =================================================================== --- assimp-6.0.5.orig/code/AssetLib/glTF2/glTF2Importer.cpp +++ assimp-6.0.5/code/AssetLib/glTF2/glTF2Importer.cpp @@ -1734,8 +1734,9 @@ void glTF2Importer::ImportEmbeddedTextur tex->pcData = reinterpret_cast<aiTexel *>(data); if (!img.mimeType.empty()) { - const char *ext = strchr(img.mimeType.c_str(), '/') + 1; - if (ext) { + const char *slash = strchr(img.mimeType.c_str(), '/'); + if (slash != nullptr) { + const char *ext = slash + 1; if (strncmp(ext, "jpeg", 4) == 0) { ext = "jpg"; } else if (strcmp(ext, "ktx2") == 0) { // basisu: ktx remains ++++++ assimp-CVE-2026-10199.patch ++++++ >From d24b85319bd70c65883a2b96613e07e23fb95981 Mon Sep 17 00:00:00 2001 From: Sai Asish Y <[email protected]> Date: Tue, 26 May 2026 12:31:36 -0700 Subject: [PATCH] Fix glTF2 ImportAnimations null deref on invalid target node (#6646) * fix(glTF2): guard against null target node in ImportAnimations If a glTF2 animation channel references a node index whose LazyDict slot is null (e.g. animations defined without a matching nodes array), r.nodes[i] dereferences a null pointer and crashes. Validate the Ref before indexing and skip the channel with a warning. Resolves #6611. * fix(glTF2): use raw pointer to clarify null check in ImportAnimations Extract nodePtr from Ref<Node> before the null guard so the checker has a direct pointer variable rather than operator->() in the condition, avoiding a Sonar reliability flag on the indirect dereference pattern. Signed-off-by: Sai Asish Y <[email protected]> --------- Signed-off-by: Sai Asish Y <[email protected]> Co-authored-by: Kim Kulling <[email protected]> --- code/AssetLib/glTF2/glTF2Importer.cpp | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/code/AssetLib/glTF2/glTF2Importer.cpp b/code/AssetLib/glTF2/glTF2Importer.cpp index 99559dfa6a..3eaaf1dd76 100644 --- a/code/AssetLib/glTF2/glTF2Importer.cpp +++ b/code/AssetLib/glTF2/glTF2Importer.cpp @@ -1612,10 +1612,17 @@ void glTF2Importer::ImportAnimations(glTF2::Asset &r) { int j = 0; for (auto &iter : samplers) { if ((nullptr != iter.second.rotation) || (nullptr != iter.second.scale) || (nullptr != iter.second.translation)) { - ai_anim->mChannels[j] = CreateNodeAnim(r, r.nodes[iter.first], iter.second); + Ref<Node> targetNode = r.nodes.Get(iter.first); + Node *nodePtr = targetNode ? targetNode.operator->() : nullptr; + if (!nodePtr) { + ASSIMP_LOG_WARN("Animation ", anim.name, ": Invalid target node index ", iter.first, ". Skipping channel."); + continue; + } + ai_anim->mChannels[j] = CreateNodeAnim(r, *nodePtr, iter.second); ++j; } } + ai_anim->mNumChannels = j; } ai_anim->mNumMorphMeshChannels = numMorphMeshChannels; @@ -1625,10 +1632,17 @@ void glTF2Importer::ImportAnimations(glTF2::Asset &r) { int j = 0; for (auto &iter : samplers) { if (nullptr != iter.second.weight) { - ai_anim->mMorphMeshChannels[j] = CreateMeshMorphAnim(r, r.nodes[iter.first], iter.second); + Ref<Node> targetNode = r.nodes.Get(iter.first); + Node *nodePtr = targetNode ? targetNode.operator->() : nullptr; + if (!nodePtr) { + ASSIMP_LOG_WARN("Animation ", anim.name, ": Invalid target node index ", iter.first, ". Skipping morph channel."); + continue; + } + ai_anim->mMorphMeshChannels[j] = CreateMeshMorphAnim(r, *nodePtr, iter.second); ++j; } } + ai_anim->mNumMorphMeshChannels = j; } // Use the latest key-frame for the duration of the animation
