diff --git a/0001-Fix-leak-5762.patch b/0001-Fix-leak-5762.patch new file mode 100644 index 0000000..1276200 --- /dev/null +++ b/0001-Fix-leak-5762.patch @@ -0,0 +1,136 @@ +From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Sat, 7 Sep 2024 21:02:34 +0200 +Subject: [PATCH] Fix leak (#5762) + +* Fix leak + +* Update utLogger.cpp +--- + code/Common/Assimp.cpp | 13 ++++++--- + fuzz/assimp_fuzzer.cc | 2 +- + test/CMakeLists.txt | 1 + + test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++ + 4 files changed, 63 insertions(+), 5 deletions(-) + create mode 100644 test/unit/Common/utLogger.cpp + +diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp +index ef3ee7b5d..91896e405 100644 +--- a/code/Common/Assimp.cpp ++++ b/code/Common/Assimp.cpp +@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) { + s->write(msg); + } + ++static LogStream *DefaultStream = nullptr; ++ + // ------------------------------------------------------------------------------------------------ + ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) { + aiLogStream sout; + + ASSIMP_BEGIN_EXCEPTION_REGION(); +- LogStream *stream = LogStream::createDefaultStream(pStream, file); +- if (!stream) { ++ if (DefaultStream == nullptr) { ++ DefaultStream = LogStream::createDefaultStream(pStream, file); ++ } ++ ++ if (!DefaultStream) { + sout.callback = nullptr; + sout.user = nullptr; + } else { + sout.callback = &CallbackToLogRedirector; +- sout.user = (char *)stream; ++ sout.user = (char *)DefaultStream; + } +- gPredefinedStreams.push_back(stream); ++ gPredefinedStreams.push_back(DefaultStream); + ASSIMP_END_EXCEPTION_REGION(aiLogStream); + return sout; + } +diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc +index 8178674e8..91ffd9d69 100644 +--- a/fuzz/assimp_fuzzer.cc ++++ b/fuzz/assimp_fuzzer.cc +@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + using namespace Assimp; + + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) { +- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL); ++ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); + aiAttachLogStream(&stream); + + Importer importer; +diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt +index 7b7fd850a..1a45adac7 100644 +--- a/test/CMakeLists.txt ++++ b/test/CMakeLists.txt +@@ -100,6 +100,7 @@ SET( COMMON + unit/Common/utBase64.cpp + unit/Common/utHash.cpp + unit/Common/utBaseProcess.cpp ++ unit/Common/utLogger.cpp + ) + + SET(Geometry +diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp +new file mode 100644 +index 000000000..932240a7f +--- /dev/null ++++ b/test/unit/Common/utLogger.cpp +@@ -0,0 +1,52 @@ ++/* ++--------------------------------------------------------------------------- ++Open Asset Import Library (assimp) ++--------------------------------------------------------------------------- ++ ++Copyright (c) 2006-2024, assimp team ++ ++All rights reserved. ++ ++Redistribution and use of this software in source and binary forms, ++with or without modification, are permitted provided that the following ++conditions are met: ++ ++* Redistributions of source code must retain the above ++copyright notice, this list of conditions and the ++following disclaimer. ++ ++* Redistributions in binary form must reproduce the above ++copyright notice, this list of conditions and the ++following disclaimer in the documentation and/or other ++materials provided with the distribution. ++ ++* Neither the name of the assimp team, nor the names of its ++contributors may be used to endorse or promote products ++derived from this software without specific prior ++written permission of the assimp team. ++ ++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++--------------------------------------------------------------------------- ++*/ ++ ++#include "UnitTestPCH.h" ++#include ++ ++using namespace Assimp; ++class utLogger : public ::testing::Test {}; ++ ++TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) { ++ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); ++ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); ++ ASSERT_EQ(stream1.callback, stream2.callback); ++} +-- +2.47.1 + diff --git a/0001-SplitLargeMeshes-Fix-crash-5799.patch b/0001-SplitLargeMeshes-Fix-crash-5799.patch new file mode 100644 index 0000000..6adb033 --- /dev/null +++ b/0001-SplitLargeMeshes-Fix-crash-5799.patch @@ -0,0 +1,29 @@ +From ecdf8d24b85367b22ba353b4f82299d4af7f1f97 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Mon, 7 Oct 2024 10:30:45 +0200 +Subject: [PATCH] SplitLargeMeshes: Fix crash (#5799) + +- Fix nullptr access when rootnode of the scene is a nullptr. This can happen even if the scene stores any kind of meshes. closes https://github.com/assimp/assimp/issues/5791 +--- + code/PostProcessing/SplitLargeMeshes.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/code/PostProcessing/SplitLargeMeshes.cpp b/code/PostProcessing/SplitLargeMeshes.cpp +index 3bee28521..cb9727651 100644 +--- a/code/PostProcessing/SplitLargeMeshes.cpp ++++ b/code/PostProcessing/SplitLargeMeshes.cpp +@@ -100,6 +100,11 @@ void SplitLargeMeshesProcess_Triangle::SetupProperties( const Importer* pImp) { + // ------------------------------------------------------------------------------------------------ + // Update a node after some meshes have been split + void SplitLargeMeshesProcess_Triangle::UpdateNode(aiNode* pcNode, const std::vector >& avList) { ++ if (pcNode == nullptr) { ++ ASSIMP_LOG_WARN("UpdateNode skipped, nullptr detected."); ++ return; ++ } ++ + // for every index in out list build a new entry + std::vector aiEntries; + aiEntries.reserve(pcNode->mNumMeshes + 1); +-- +2.47.0 + diff --git a/CVE-2024-48423.patch b/CVE-2024-48423.patch new file mode 100644 index 0000000..5f3d691 --- /dev/null +++ b/CVE-2024-48423.patch @@ -0,0 +1,34 @@ +From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Wed, 11 Dec 2024 12:17:14 +0200 +Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918) + +The heap-use-after-free vulnerability occurs in the +CallbackToLogRedirector function. During the process of logging, +a previously freed memory region is accessed, leading to a +use-after-free condition. This vulnerability stems from incorrect +memory management, specifically, freeing a log stream and then +attempting to access it later on. + +This patch sets NULL value for The DefaultStream global pointer. + +Co-authored-by: Kim Kulling +--- + code/Common/Assimp.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp +index 91896e4059..22e16bd36a 100644 +--- a/code/Common/Assimp.cpp ++++ b/code/Common/Assimp.cpp +@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) { + DefaultLogger::get()->detachStream(it->second); + delete it->second; + ++ if ((Assimp::LogStream *)stream->user == DefaultStream) { ++ DefaultStream = nullptr; ++ } ++ + gActiveLogStreams.erase(it); + + if (gActiveLogStreams.empty()) { diff --git a/CVE-2024-48424.patch b/CVE-2024-48424.patch new file mode 100644 index 0000000..a67db41 --- /dev/null +++ b/CVE-2024-48424.patch @@ -0,0 +1,59 @@ +From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Mon, 16 Dec 2024 23:48:45 +0200 +Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919) + +Co-authored-by: Kim Kulling +--- + contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp +index 3d7dce45ec..26591b5ec8 100644 +--- a/contrib/openddlparser/code/OpenDDLParser.cpp ++++ b/contrib/openddlparser/code/OpenDDLParser.cpp +@@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) { + return Grammar::PrimitiveTypeToken[(size_t)type]; + } + +-static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) { +- if (callback) { +- std::string full(in); +- std::string part(full.substr(0, 50)); ++static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) { ++ if (callback) {\ ++ std::string part(in.substr(0, 50)); + std::stringstream stream; +- stream << "Invalid token \"" << *in << "\" " ++ stream << "Invalid token \"" << in << "\" " + << "(expected \"" << exp << "\") " + << "in: \"" << part << "\""; + callback(ddl_error_msg, stream.str()); +@@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { + } + + if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) { +- logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback); ++ logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback); + return nullptr; + } + +@@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) { + ++in; + } + } else { +- ++in; +- logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback); ++ logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback); + error = true; + return nullptr; + } +@@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) { + + in = lookForNextToken(in, end); + if (in == end || *in != '}') { +- logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback); ++ logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback); + return nullptr; + } else { + //in++; diff --git a/CVE-2024-53425.patch b/CVE-2024-53425.patch new file mode 100644 index 0000000..e0c9ed5 --- /dev/null +++ b/CVE-2024-53425.patch @@ -0,0 +1,39 @@ +From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Tue, 17 Dec 2024 19:57:54 +0200 +Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd + (#5921) + +Co-authored-by: Kim Kulling +--- + code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp +index 2de8d5033c..c5f108586e 100644 +--- a/code/AssetLib/MD5/MD5Parser.cpp ++++ b/code/AssetLib/MD5/MD5Parser.cpp +@@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() { + ReportError("MD5 version tag is unknown (10 is expected)"); + } + SkipLine(); +- if (buffer == bufferEnd) { +- return; +- } + + // print the command line options to the console +- // FIX: can break the log length limit, so we need to be careful + char *sz = buffer; +- while (!IsLineEnd(*buffer++)); ++ while (buffer < bufferEnd) { ++ if (IsLineEnd(*buffer++)) { ++ break; ++ } ++ } ++ ++ if (buffer == bufferEnd) { ++ return; ++ } + + ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz)))); + SkipSpacesAndLineEnd(); diff --git a/assimp.changes b/assimp.changes index 62415b6..836c6cc 100644 --- a/assimp.changes +++ b/assimp.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Dec 27 08:05:57 UTC 2024 - Christophe Marin + +- Add patches: + * 0001-Fix-leak-5762.patch + * CVE-2024-48423.patch (boo#1232322, CVE-2024-48423) + * CVE-2024-48424.patch (boo#1232323, CVE-2024-48424) + * CVE-2024-53425.patch (boo#1233633, CVE-2024-53425) + +------------------------------------------------------------------- +Wed Oct 30 09:42:38 UTC 2024 - Christophe Marin + +- Add upstream change (boo#1232324, CVE-2024-48425) + * 0001-SplitLargeMeshes-Fix-crash-5799.patch + ------------------------------------------------------------------- Tue Sep 10 07:32:23 UTC 2024 - Christophe Marin diff --git a/assimp.spec b/assimp.spec index dcd40f2..16186dd 100644 --- a/assimp.spec +++ b/assimp.spec @@ -22,9 +22,17 @@ Version: 5.4.3 Release: 0 Summary: Library to load and process 3D scenes from various data formats License: BSD-3-Clause AND MIT -Group: Development/Libraries/C and C++ URL: https://github.com/assimp/assimp Source0: %{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM +Patch0: 0001-SplitLargeMeshes-Fix-crash-5799.patch +# PATCH-FIX-UPSTREAM +Patch1: 0001-Fix-leak-5762.patch +Patch2: CVE-2024-48423.patch +# PATCH-FIX-UPSTREAM +Patch3: CVE-2024-48424.patch +# PATCH-FIX-UPSTREAM +Patch4: CVE-2024-53425.patch BuildRequires: cmake >= 3.22 BuildRequires: dos2unix BuildRequires: gcc-c++ @@ -42,7 +50,6 @@ engine-specific format for easy and fast every-day-loading. %package -n libassimp%{sover} Summary: Library to load and process 3D scenes from various data formats -Group: System/Libraries %description -n libassimp%{sover} Assimp is a library to load and process geometric scenes from various data formats. @@ -53,7 +60,6 @@ engine-specific format for easy and fast every-day-loading. %package devel Summary: Headers, docs and command-line utility for assimp -Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libassimp%{sover} = %{version} Requires: libstdc++-devel