diff --git a/CVE-2025-3159.patch b/CVE-2025-3159.patch new file mode 100644 index 0000000000000000000000000000000000000000..a8e7d96564b184d5bea3645f003c090e1f0227d9 --- /dev/null +++ b/CVE-2025-3159.patch @@ -0,0 +1,28 @@ +From e8a6286542924e628e02749c4f5ac4f91fdae71b Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Thu, 13 Mar 2025 16:23:36 +0100 +Subject: [PATCH] ASE: Use correct vertex container (#6051) + +- closes https://github.com/assimp/assimp/issues/6024 +--- + code/AssetLib/ASE/ASEParser.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/code/AssetLib/ASE/ASEParser.cpp b/code/AssetLib/ASE/ASEParser.cpp +index c43eb42..f697861 100644 +--- a/code/AssetLib/ASE/ASEParser.cpp ++++ b/code/AssetLib/ASE/ASEParser.cpp +@@ -1382,8 +1382,8 @@ void Parser::ParseLV4MeshBonesVertices(unsigned int iNumVertices, ASE::Mesh &mes + if (TokenMatch(filePtr, "MESH_BONE_VERTEX", 16)) { + // read the vertex index + unsigned int iIndex = strtoul10(filePtr, &filePtr); +- if (iIndex >= mesh.mPositions.size()) { +- iIndex = (unsigned int)mesh.mPositions.size() - 1; ++ if (iIndex >= mesh.mBoneVertices.size()) { ++ iIndex = (unsigned int)mesh.mBoneVertices.size() - 1; + LogWarning("Bone vertex index is out of bounds. Using the largest valid " + "bone vertex index instead"); + } +-- +2.41.0 + diff --git a/CVE-2025-3160.patch b/CVE-2025-3160.patch new file mode 100644 index 0000000000000000000000000000000000000000..2635a75e9b2ec7a7659ed811044faa46c297011b --- /dev/null +++ b/CVE-2025-3160.patch @@ -0,0 +1,29 @@ +From a0993658f40d8e13ff5823990c30b43c82a5daf0 Mon Sep 17 00:00:00 2001 +From: Kim Kulling +Date: Thu, 13 Mar 2025 10:24:20 +0100 +Subject: [PATCH] Bugfix: Fix possible nullptr dereferencing + +- closes https://github.com/assimp/assimp/issues/6025 +--- + code/Common/SceneCombiner.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/code/Common/SceneCombiner.cpp b/code/Common/SceneCombiner.cpp +index 0188f5d..4a9c6eb 100644 +--- a/code/Common/SceneCombiner.cpp ++++ b/code/Common/SceneCombiner.cpp +@@ -95,6 +95,11 @@ inline void PrefixString(aiString &string, const char *prefix, unsigned int len) + // ------------------------------------------------------------------------------------------------ + // Add node identifiers to a hashing set + void SceneCombiner::AddNodeHashes(aiNode *node, std::set &hashes) { ++ if (node == nullptr) { ++ ASSIMP_LOG_VERBOSE_DEBUG("Pointer to aiNode is nullptr."); ++ return; ++ } ++ + // Add node name to hashing set if it is non-empty - empty nodes are allowed + // and they can't have any anims assigned so its absolutely safe to duplicate them. + if (node->mName.length) { +-- +2.41.0 + diff --git a/assimp.spec b/assimp.spec index 902fa3b13c9a9fb5779e9fcdab4b33a551f5696a..2804c5bceba1ee1a5af3e975f7f136d191c00ac0 100644 --- a/assimp.spec +++ b/assimp.spec @@ -1,6 +1,6 @@ Name: assimp Version: 5.3.1 -Release: 8 +Release: 9 Summary: Library to load and process various 3D model formats into applications. License: BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0 URL: http://www.assimp.org/ @@ -23,6 +23,8 @@ Patch08: CVE-2024-53425.patch Patch09: CVE-2025-2151.patch Patch10: CVE-2025-3015.patch Patch11: CVE-2025-3016.patch +Patch12: CVE-2025-3159.patch +Patch13: CVE-2025-3160.patch BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib) @@ -102,6 +104,12 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass %{python3_sitelib}/pyassimp %changelog +* Fri Apr 4 2025 changtao - 5.3.1-9 +- Type:CVE +- CVE:CVE-2025-3160 CVE-2025-3159 +- SUG:NA +- DESC:fix CVE-2025-3160 CVE-2025-3159 + * Tue Apr 1 2025 changtao - 5.3.1-8 - Type:CVE - CVE:CVE-2025-3015 CVE-2025-3016