Bugzilla – Bug 1194276
VUL-1: CVE-2021-45948: assimp: heap-based buffer overflow in _m3d_safestr
Last modified: 2022-01-04 12:22:43 UTC
CVE-2021-45948 Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45948 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45948 http://www.cvedetails.com/cve/CVE-2021-45948/
From what I see in our code streams we are not affected. Please double check. openSUSE:Factory 5.1.4 openSUSE:Leap:15.2 3.3.1 openSUSE:Backports:SLE-15-SP3 3.3.1 openSUSE:Backports:SLE-15-SP4 5.1.3
I have a doubt about the affected versions. This is fixed in our package by https://github.com/assimp/assimp/commit/30f17aa20 /data/misc/assimp (master) # git tag --contains 30f17aa20 v5.1.0 v5.1.1 v5.1.2 v5.1.3 v5.1.4 v5.1.5 Version 3.3.1 is not affected.
Closing. None of our packages are affected.