diff --git a/CVE-2025-3015.patch b/CVE-2025-3015.patch new file mode 100644 index 0000000000000000000000000000000000000000..f98de7b8d13c7d4b168c4bbc865a6e7d795c676c --- /dev/null +++ b/CVE-2025-3015.patch @@ -0,0 +1,26 @@ +From 7c705fde418d68cca4e8eff56be01b2617b0d6fe Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Wed, 12 Mar 2025 21:12:02 +0100 +Subject: [PATCH] ASE: Fix possible out of bound access. (#6045) +--- + code/AssetLib/ASE/ASELoader.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp +index caa7089..a4372b1 100644 +--- a/code/AssetLib/ASE/ASELoader.cpp ++++ b/code/AssetLib/ASE/ASELoader.cpp +@@ -752,6 +752,10 @@ void ASEImporter::BuildUniqueRepresentation(ASE::Mesh &mesh) { + unsigned int iCurrent = 0, fi = 0; + for (std::vector::iterator i = mesh.mFaces.begin(); i != mesh.mFaces.end(); ++i, ++fi) { + for (unsigned int n = 0; n < 3; ++n, ++iCurrent) { ++ const uint32_t curIndex = (*i).mIndices[n]; ++ if (curIndex >= mesh.mPositions.size()) { ++ throw DeadlyImportError("ASE: Invalid vertex index in face ", fi, "."); ++ } + mPositions[iCurrent] = mesh.mPositions[(*i).mIndices[n]]; + + // add texture coordinates +-- +2.46.0 + diff --git a/CVE-2025-3016.patch b/CVE-2025-3016.patch new file mode 100644 index 0000000000000000000000000000000000000000..55b0007acad7339eedf43b2b1c0acaf9afeaf422 --- /dev/null +++ b/CVE-2025-3016.patch @@ -0,0 +1,38 @@ +From 5d2a7482312db2e866439a8c05a07ce1e718bed1 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Wed, 12 Mar 2025 21:29:33 +0100 +Subject: [PATCH] MDL: Limit max texture sizes + +- closes https://github.com/assimp/assimp/issues/6022 +--- + code/AssetLib/MDL/MDLMaterialLoader.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/code/AssetLib/MDL/MDLMaterialLoader.cpp b/code/AssetLib/MDL/MDLMaterialLoader.cpp +index 2de43d2..2e93b68 100644 +--- a/code/AssetLib/MDL/MDLMaterialLoader.cpp ++++ b/code/AssetLib/MDL/MDLMaterialLoader.cpp +@@ -210,6 +210,8 @@ void MDLImporter::CreateTexture_3DGS_MDL4(const unsigned char *szData, + return; + } + ++static const uint32_t MaxTextureSize = 4096; ++ + // ------------------------------------------------------------------------------------------------ + // Load color data of a texture and convert it to our output format + void MDLImporter::ParseTextureColorData(const unsigned char *szData, +@@ -220,6 +222,11 @@ void MDLImporter::ParseTextureColorData(const unsigned char *szData, + + // allocate storage for the texture image + if (do_read) { ++ // check for max texture sizes ++ if (pcNew->mWidth > MaxTextureSize || pcNew->mHeight > MaxTextureSize) { ++ throw DeadlyImportError("Invalid MDL file. A texture is too big."); ++ } ++ + if(pcNew->mWidth != 0 && pcNew->mHeight > UINT_MAX/pcNew->mWidth) { + throw DeadlyImportError("Invalid MDL file. A texture is too big."); + } +-- +2.46.0 + diff --git a/assimp.spec b/assimp.spec index 80eadcb244def65b0e51ec59aa9131cf314d04ea..67bf1d01ff6b9c4fd1973abd4d9ce07c36357e9a 100644 --- a/assimp.spec +++ b/assimp.spec @@ -1,6 +1,6 @@ Name: assimp Version: 5.2.4 -Release: 4 +Release: 5 Summary: Library to load and process various 3D model formats into applications. License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0 URL: http://www.assimp.org/ @@ -9,6 +9,8 @@ Patch0001: 0001-Fix-build-with-zlib.patch Patch0002: CVE-2024-40724-Fix-out-of-bound-access-5651.patch Patch0003: CVE-2024-45679.patch Patch0004: CVE-2024-48425.patch +Patch0005: CVE-2025-3015.patch +Patch0006: CVE-2025-3016.patch BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zzip-zlib-config) @@ -87,6 +89,12 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass %{python3_sitelib}/pyassimp %changelog +* Tue Apr 1 2025 changtao - 5.2.4-5 +- Type:CVE +- CVE:CVE-2025-3015 CVE-2025-3016 +- SUG:NA +- DESC:fix CVE-2025-3015 CVE-2025-3016 + * Sat Oct 26 2024 liningjie - 5.2.4-4 - Fix CVE-2024-48425