diff --git a/CVE-2025-3015.patch b/CVE-2025-3015.patch new file mode 100644 index 0000000000000000000000000000000000000000..7804ab74d0901f7be1ae5f091d9003aca2953b1c --- /dev/null +++ b/CVE-2025-3015.patch @@ -0,0 +1,26 @@ +From 7c705fde418d68cca4e8eff56be01b2617b0d6fe Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Wed, 12 Mar 2025 21:12:02 +0100 +Subject: [PATCH] ASE: Fix possible out of bound access. (#6045) +--- + code/AssetLib/ASE/ASELoader.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp +index 4617c9e..a622bb0 100644 +--- a/code/AssetLib/ASE/ASELoader.cpp ++++ b/code/AssetLib/ASE/ASELoader.cpp +@@ -730,6 +730,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) { + unsigned int iCurrent = 0, fi = 0; + for (std::vector::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) { + for (unsigned int n = 0; n < 3; ++n, ++iCurrent) { ++ const uint32_t curIndex = (*i).mIndices[n]; ++ if (curIndex >= mesh.mPositions.size()) { ++ throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, "."); ++ } + mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]]; + + // add texture coordinates +-- +2.46.0 + diff --git a/CVE-2025-3016.patch b/CVE-2025-3016.patch new file mode 100644 index 0000000000000000000000000000000000000000..e576536de3fda00169644e1b281a29e24b728a99 --- /dev/null +++ b/CVE-2025-3016.patch @@ -0,0 +1,38 @@ +From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Wed, 12 Mar 2025 21:29:33 +0100 +Subject: [PATCH] MDL: Limit max texture sizes + +- closes https://github.com/assimp/assimp/issues/6022 +--- + code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp +index 3d39fa6..9ab1944 100644 +--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp ++++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp +@@ -210,6 +210,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData, + return; + } + ++static const uint32_t MaxTextureSize = 4096; ++ + // ------------------------------------------------------------------------------------------------ + // Load color data of a texture and convert it to our output format + void MDLImporter::ParseTextureColorData(const unsigned char *szData, +@@ -220,6 +222,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData, + + // allocate storage for the texture image + if (do_read) { ++ // check for max texture sizes ++ if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) { ++ throw DeadlyImportError("Invalid MDL file. A texture is too big."); ++ } ++ + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } +-- +2.46.0 + diff --git a/assimp.spec b/assimp.spec index 730cc0672f37e36ec67c3c8b5cfbd8c7aca1d838..a1f608eb993fe99ebd296c4ab10bd41e653e979d 100644 --- a/assimp.spec +++ b/assimp.spec @@ -1,6 +1,6 @@ Name: assimp Version: 5.3.1 -Release: 9 +Release: 10 Summary: Library to load and process various 3D model formats into applications. License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0 URL: http://www.assimp.org/ @@ -21,6 +21,8 @@ Patch06: CVE-2024-48424.patch Patch07: CVE-2024-53425-pre-Fix-Add-check-for-invalid-input-argument.patch Patch08: CVE-2024-53425.patch Patch09: CVE-2025-2151.patch +Patch10: CVE-2025-3015.patch +Patch11: CVE-2025-3016.patch BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib) @@ -86,6 +88,12 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass %{python3_sitelib}/pyassimp %changelog +* Tue Apr 1 2025 changtao - 5.3.1-10 +- Type:CVE +- CVE:CVE-2025-3015 CVE-2025-3016 +- SUG:NA +- DESC:fix CVE-2025-3015 CVE-2025-3016 + * Thu Mar 20 2025 wangkai <13474090681@163.com> - 5.3.1-9 - Fix CVE-2025-2151