From 53b79c08b1f148214a626558863e15ca36cda17b Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 11 Feb 2025 15:57:02 +0800 Subject: [PATCH] Fix CVE-2024-48423,CVE-2024-48424 and CVE-2024-53425 --- CVE-2024-48423-pre-Fix-leak-5762.patch | 133 ++++++++++++ CVE-2024-48423.patch | 34 +++ CVE-2024-48424.patch | 59 ++++++ ...Add-check-for-invalid-input-argument.patch | 196 ++++++++++++++++++ CVE-2024-53425.patch | 39 ++++ assimp.spec | 10 +- 6 files changed, 470 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-48423-pre-Fix-leak-5762.patch create mode 100644 CVE-2024-48423.patch create mode 100644 CVE-2024-48424.patch create mode 100644 CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch create mode 100644 CVE-2024-53425.patch diff --git a/CVE-2024-48423-pre-Fix-leak-5762.patch b/CVE-2024-48423-pre-Fix-leak-5762.patch new file mode 100644 index 0000000..ffbc932 --- /dev/null +++ b/CVE-2024-48423-pre-Fix-leak-5762.patch @@ -0,0 +1,133 @@ +From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Sat, 7 Sep 2024 21:02:34 +0200 +Subject: [PATCH] Fix leak (#5762) + +* Fix leak + +* Update utLogger.cpp +--- + code/Common/Assimp.cpp | 13 ++++++--- + fuzz/assimp_fuzzer.cc | 2 +- + test/CMakeLists.txt | 1 + + test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++ + 4 files changed, 63 insertions(+), 5 deletions(-) + create mode 100644 test/unit/Common/utLogger.cpp + +diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp +index ef3ee7b5d8..91896e4059 100644 +--- a/code/Common/Assimp.cpp ++++ b/code/Common/Assimp.cpp +@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) { + s->write(msg); + } + ++static LogStream *DefaultStream = nullptr; ++ + // ------------------------------------------------------------------------------------------------ + ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) { + aiLogStream sout; + + ASSIMP_BEGIN_EXCEPTION_REGION(); +- LogStream *stream = LogStream::createDefaultStream(pStream, file); +- if (!stream) { ++ if (DefaultStream == nullptr) { ++ DefaultStream = LogStream::createDefaultStream(pStream, file); ++ } ++ ++ if (!DefaultStream) { + sout.callback = nullptr; + sout.user = nullptr; + } else { + sout.callback = &CallbackToLogRedirector; +- sout.user = (char *)stream; ++ sout.user = (char *)DefaultStream; + } +- gPredefinedStreams.push_back(stream); ++ gPredefinedStreams.push_back(DefaultStream); + ASSIMP_END_EXCEPTION_REGION(aiLogStream); + return sout; + } +diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc +index 8178674e82..91ffd9d692 100644 +--- a/fuzz/assimp_fuzzer.cc ++++ b/fuzz/assimp_fuzzer.cc +@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + using namespace Assimp; + + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) { +- aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL); ++ aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); + aiAttachLogStream(&stream); + + Importer importer; +diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt +index 7b7fd850ae..1a45adac7e 100644 +--- a/test/CMakeLists.txt ++++ b/test/CMakeLists.txt +@@ -100,6 +100,7 @@ SET( COMMON + unit/Common/utBase64.cpp + unit/Common/utHash.cpp + unit/Common/utBaseProcess.cpp ++ unit/Common/utLogger.cpp + ) + + SET(Geometry +diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp +new file mode 100644 +index 0000000000..932240a7f6 +--- /dev/null ++++ b/test/unit/Common/utLogger.cpp +@@ -0,0 +1,52 @@ ++/* ++--------------------------------------------------------------------------- ++Open Asset Import Library (assimp) ++--------------------------------------------------------------------------- ++ ++Copyright (c) 2006-2024, assimp team ++ ++All rights reserved. ++ ++Redistribution and use of this software in source and binary forms, ++with or without modification, are permitted provided that the following ++conditions are met: ++ ++* Redistributions of source code must retain the above ++copyright notice, this list of conditions and the ++following disclaimer. ++ ++* Redistributions in binary form must reproduce the above ++copyright notice, this list of conditions and the ++following disclaimer in the documentation and/or other ++materials provided with the distribution. ++ ++* Neither the name of the assimp team, nor the names of its ++contributors may be used to endorse or promote products ++derived from this software without specific prior ++written permission of the assimp team. ++ ++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT ++OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT ++LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE ++OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++--------------------------------------------------------------------------- ++*/ ++ ++#include "UnitTestPCH.h" ++#include ++ ++using namespace Assimp; ++class utLogger : public ::testing::Test {}; ++ ++TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) { ++ aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); ++ aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr); ++ ASSERT_EQ(stream1.callback, stream2.callback); ++} diff --git a/CVE-2024-48423.patch b/CVE-2024-48423.patch new file mode 100644 index 0000000..a1fd324 --- /dev/null +++ b/CVE-2024-48423.patch @@ -0,0 +1,34 @@ +From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Wed, 11 Dec 2024 12:17:14 +0200 +Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918) + +The heap-use-after-free vulnerability occurs in the +CallbackToLogRedirector function. During the process of logging, +a previously freed memory region is accessed, leading to a +use-after-free condition. This vulnerability stems from incorrect +memory management, specifically, freeing a log stream and then +attempting to access it later on. + +This patch sets NULL value for The DefaultStream global pointer. + +Co-authored-by: Kim Kulling +--- + code/Common/Assimp.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp +index 91896e4059..22e16bd36a 100644 +--- a/code/Common/Assimp.cpp ++++ b/code/Common/Assimp.cpp +@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) { + DefaultLogger::get()->detachStream(it->second); + delete it->second; + ++ if ((Assimp::LogStream *)stream->user == DefaultStream) { ++ DefaultStream = nullptr; ++ } ++ + gActiveLogStreams.erase(it); + + if (gActiveLogStreams.empty()) { diff --git a/CVE-2024-48424.patch b/CVE-2024-48424.patch new file mode 100644 index 0000000..fdbdf93 --- /dev/null +++ b/CVE-2024-48424.patch @@ -0,0 +1,59 @@ +From 2b773f0f5a726c38dda72307b5311c14fc3a76ae Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Mon, 16 Dec 2024 23:48:45 +0200 +Subject: [PATCH] Fix heap-buffer-overflow in OpenDDLParser (#5919) + +Co-authored-by: Kim Kulling +--- + contrib/openddlparser/code/OpenDDLParser.cpp | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/contrib/openddlparser/code/OpenDDLParser.cpp b/contrib/openddlparser/code/OpenDDLParser.cpp +index 3d7dce45ec..26591b5ec8 100644 +--- a/contrib/openddlparser/code/OpenDDLParser.cpp ++++ b/contrib/openddlparser/code/OpenDDLParser.cpp +@@ -74,12 +74,11 @@ const char *getTypeToken(Value::ValueType type) { + return Grammar::PrimitiveTypeToken[(size_t)type]; + } + +-static void logInvalidTokenError(const char *in, const std::string &exp, OpenDDLParser::logCallback callback) { +- if (callback) { +- std::string full(in); +- std::string part(full.substr(0, 50)); ++static void logInvalidTokenError(const std::string &in, const std::string &exp, OpenDDLParser::logCallback callback) { ++ if (callback) {\ ++ std::string part(in.substr(0, 50)); + std::stringstream stream; +- stream << "Invalid token \"" << *in << "\" " ++ stream << "Invalid token \"" << in << "\" " + << "(expected \"" << exp << "\") " + << "in: \"" << part << "\""; + callback(ddl_error_msg, stream.str()); +@@ -306,7 +305,7 @@ char *OpenDDLParser::parseHeader(char *in, char *end) { + } + + if (*in != Grammar::CommaSeparator[0] && *in != Grammar::ClosePropertyToken[0]) { +- logInvalidTokenError(in, Grammar::ClosePropertyToken, m_logCallback); ++ logInvalidTokenError(std::string(in, end), Grammar::ClosePropertyToken, m_logCallback); + return nullptr; + } + +@@ -355,8 +354,7 @@ char *OpenDDLParser::parseStructure(char *in, char *end) { + ++in; + } + } else { +- ++in; +- logInvalidTokenError(in, std::string(Grammar::OpenBracketToken), m_logCallback); ++ logInvalidTokenError(std::string(in, end), std::string(Grammar::OpenBracketToken), m_logCallback); + error = true; + return nullptr; + } +@@ -427,7 +425,7 @@ char *OpenDDLParser::parseStructureBody(char *in, char *end, bool &error) { + + in = lookForNextToken(in, end); + if (in == end || *in != '}') { +- logInvalidTokenError(in == end ? "" : in, std::string(Grammar::CloseBracketToken), m_logCallback); ++ logInvalidTokenError(std::string(in, end), std::string(Grammar::CloseBracketToken), m_logCallback); + return nullptr; + } else { + //in++; diff --git a/CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch b/CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch new file mode 100644 index 0000000..a649706 --- /dev/null +++ b/CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch @@ -0,0 +1,196 @@ +From d7cde433679a6e21e0a5f22e54ea0951783503fe Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Mon, 2 Oct 2023 10:24:43 +0200 +Subject: [PATCH] Fix: Add check for invalid input argument + +--- + code/AssetLib/MD5/MD5Parser.cpp | 10 +++--- + code/AssetLib/MD5/MD5Parser.h | 62 ++++++++++++++++++--------------- + 2 files changed, 38 insertions(+), 34 deletions(-) + +diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp +index 7d0b41c24a..8da30e28f7 100644 +--- a/code/AssetLib/MD5/MD5Parser.cpp ++++ b/code/AssetLib/MD5/MD5Parser.cpp +@@ -3,7 +3,7 @@ + Open Asset Import Library (assimp) + --------------------------------------------------------------------------- + +-Copyright (c) 2006-2022, assimp team ++Copyright (c) 2006-2023, assimp team + + All rights reserved. + +@@ -87,7 +87,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b + + // ------------------------------------------------------------------------------------------------ + // Report error to the log stream +-/*static*/ AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) { ++AI_WONT_RETURN void MD5Parser::ReportError(const char *error, unsigned int line) { + char szBuffer[1024]; + ::ai_snprintf(szBuffer, 1024, "[MD5] Line %u: %s", line, error); + throw DeadlyImportError(szBuffer); +@@ -95,7 +95,7 @@ MD5Parser::MD5Parser(char *_buffer, unsigned int _fileSize) : buffer(_buffer), b + + // ------------------------------------------------------------------------------------------------ + // Report warning to the log stream +-/*static*/ void MD5Parser::ReportWarning(const char *warn, unsigned int line) { ++void MD5Parser::ReportWarning(const char *warn, unsigned int line) { + char szBuffer[1024]; + ::snprintf(szBuffer, sizeof(szBuffer), "[MD5] Line %u: %s", line, warn); + ASSIMP_LOG_WARN(szBuffer); +@@ -122,8 +122,8 @@ void MD5Parser::ParseHeader() { + // print the command line options to the console + // FIX: can break the log length limit, so we need to be careful + char *sz = buffer; +- while (!IsLineEnd(*buffer++)) +- ; ++ while (!IsLineEnd(*buffer++)); ++ + ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz)))); + SkipSpacesAndLineEnd(); + } +diff --git a/code/AssetLib/MD5/MD5Parser.h b/code/AssetLib/MD5/MD5Parser.h +index ad7367e2ab..9b29fbe851 100644 +--- a/code/AssetLib/MD5/MD5Parser.h ++++ b/code/AssetLib/MD5/MD5Parser.h +@@ -2,8 +2,7 @@ + Open Asset Import Library (assimp) + ---------------------------------------------------------------------- + +-Copyright (c) 2006-2022, assimp team +- ++Copyright (c) 2006-2023, assimp team + + All rights reserved. + +@@ -93,7 +92,7 @@ struct Section { + std::string mName; + + //! For global elements: the value of the element as string +- //! Iif !length() the section is not a global element ++ //! if !length() the section is not a global element + std::string mGlobalValue; + }; + +@@ -185,7 +184,7 @@ using FrameList = std::vector; + */ + struct VertexDesc { + VertexDesc() AI_NO_EXCEPT +- : mFirstWeight(0), mNumWeights(0) { ++ : mFirstWeight(0), mNumWeights(0) { + // empty + } + +@@ -349,62 +348,61 @@ class MD5Parser { + */ + MD5Parser(char* buffer, unsigned int fileSize); + +- + // ------------------------------------------------------------------- + /** Report a specific error message and throw an exception + * @param error Error message to be reported + * @param line Index of the line where the error occurred + */ +- AI_WONT_RETURN static void ReportError (const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX; ++ AI_WONT_RETURN static void ReportError(const char* error, unsigned int line) AI_WONT_RETURN_SUFFIX; + + // ------------------------------------------------------------------- + /** Report a specific warning + * @param warn Warn message to be reported + * @param line Index of the line where the error occurred + */ +- static void ReportWarning (const char* warn, unsigned int line); +- ++ static void ReportWarning(const char* warn, unsigned int line); + ++ // ------------------------------------------------------------------- ++ /** Report a specific error ++ * @param error Error message to be reported ++ */ + AI_WONT_RETURN void ReportError (const char* error) AI_WONT_RETURN_SUFFIX; + +- void ReportWarning (const char* warn) { +- return ReportWarning(warn, lineNumber); +- } ++ // ------------------------------------------------------------------- ++ /** Report a specific warning ++ * @param error Warn message to be reported ++ */ ++ void ReportWarning (const char* warn); + + //! List of all sections which have been read + SectionList mSections; + + private: +- // ------------------------------------------------------------------- +- /** Parses a file section. The current file pointer must be outside +- * of a section. +- * @param out Receives the section data +- * @return true if the end of the file has been reached +- * @throws ImportErrorException if an error occurs +- */ + bool ParseSection(Section& out); +- +- // ------------------------------------------------------------------- +- /** Parses the file header +- * @throws ImportErrorException if an error occurs +- */ + void ParseHeader(); +- + bool SkipLine(const char* in, const char** out); + bool SkipLine( ); + bool SkipSpacesAndLineEnd( const char* in, const char** out); + bool SkipSpacesAndLineEnd(); + bool SkipSpaces(); + ++private: + char* buffer; + char* bufferEnd; + unsigned int fileSize; + unsigned int lineNumber; + }; + ++// ------------------------------------------------------------------- ++inline void MD5Parser::ReportWarning (const char* warn) { ++ return ReportWarning(warn, lineNumber); ++} ++ ++// ------------------------------------------------------------------- + inline void MD5Parser::ReportError(const char* error) { + ReportError(error, lineNumber); + } ++ + // ------------------------------------------------------------------- + inline bool MD5Parser::SkipLine(const char* in, const char** out) { + ++lineNumber; +@@ -418,18 +416,24 @@ inline bool MD5Parser::SkipLine( ) { + + // ------------------------------------------------------------------- + inline bool MD5Parser::SkipSpacesAndLineEnd( const char* in, const char** out) { +- bool bHad = false; +- bool running = true; ++ if (in == bufferEnd) { ++ *out = in; ++ return false; ++ } ++ ++ bool bHad = false, running = true; + while (running) { + if( *in == '\r' || *in == '\n') { +- // we open files in binary mode, so there could be \r\n sequences ... ++ // we open files in binary mode, so there could be \r\n sequences ... + if (!bHad) { + bHad = true; + ++lineNumber; + } ++ } else if (*in == '\t' || *in == ' ') { ++ bHad = false; ++ } else { ++ break; + } +- else if (*in == '\t' || *in == ' ')bHad = false; +- else break; + ++in; + if (in == bufferEnd) { + break; diff --git a/CVE-2024-53425.patch b/CVE-2024-53425.patch new file mode 100644 index 0000000..5ba9287 --- /dev/null +++ b/CVE-2024-53425.patch @@ -0,0 +1,39 @@ +From ecc8a1c8695560df108d6adc00b3d7b1ba15df9f Mon Sep 17 00:00:00 2001 +From: tyler92 +Date: Tue, 17 Dec 2024 19:57:54 +0200 +Subject: [PATCH] Fix buffer overflow in MD5Parser::SkipSpacesAndLineEnd + (#5921) + +Co-authored-by: Kim Kulling +--- + code/AssetLib/MD5/MD5Parser.cpp | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/code/AssetLib/MD5/MD5Parser.cpp b/code/AssetLib/MD5/MD5Parser.cpp +index 2de8d5033c..c5f108586e 100644 +--- a/code/AssetLib/MD5/MD5Parser.cpp ++++ b/code/AssetLib/MD5/MD5Parser.cpp +@@ -115,14 +115,18 @@ void MD5Parser::ParseHeader() { + ReportError("MD5 version tag is unknown (10 is expected)"); + } + SkipLine(); +- if (buffer == bufferEnd) { +- return; +- } + + // print the command line options to the console +- // FIX: can break the log length limit, so we need to be careful + char *sz = buffer; +- while (!IsLineEnd(*buffer++)); ++ while (buffer < bufferEnd) { ++ if (IsLineEnd(*buffer++)) { ++ break; ++ } ++ } ++ ++ if (buffer == bufferEnd) { ++ return; ++ } + + ASSIMP_LOG_INFO(std::string(sz, std::min((uintptr_t)MAX_LOG_MESSAGE_LENGTH, (uintptr_t)(buffer - sz)))); + SkipSpacesAndLineEnd(); diff --git a/assimp.spec b/assimp.spec index 6bd82f5..42e7481 100644 --- a/assimp.spec +++ b/assimp.spec @@ -1,6 +1,6 @@ Name: assimp Version: 5.3.1 -Release: 5 +Release: 6 Summary: Library to load and process various 3D model formats into applications. License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0 URL: http://www.assimp.org/ @@ -15,6 +15,11 @@ Source0: assimp-%{version}-free.tar.xz Patch01: CVE-2024-40724-Fix-out-of-bound-access-5651.patch Patch02: CVE-2024-45679.patch Patch03: CVE-2024-48425.patch +Patch04: CVE-2024-48423-pre-Fix-leak-5762.patch +Patch05: CVE-2024-48423.patch +Patch06: CVE-2024-48424.patch +Patch07: CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch +Patch08: CVE-2024-53425.patch BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib) @@ -94,6 +99,9 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass %{python3_sitelib}/pyassimp %changelog +* Tue Feb 11 2025 yaoxin <1024769339@qq.com> - 5.3.1-6 +- Fix CVE-2024-48423,CVE-2024-48424 and CVE-2024-53425 + * Sat Oct 26 2024 liningjie - 5.3.1-5 - Fix CVE-2024-48425 -- Gitee