fix CVE-2025-3160

(cherry picked from commit 7e47ef0650b2962d2a9a07cac58d94b5a1911a7d)
2025-03-22 00:54:21 +08:00 · 2025-03-22 00:54:21 +08:00 · 9e6f57bc34
commit 9e6f57bc34
parent 7c90cbd601
3 changed files with 66 additions and 1 deletions
--- a/CVE-2025-3159.patch
+++ b/CVE-2025-3159.patch
@ -0,0 +1,28 @@
+From e8a6286542924e628e02749c4f5ac4f91fdae71b Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Thu, 13 Mar 2025 16:23:36 +0100
+Subject: [PATCH] ASE: Use correct vertex container (#6051)
+
+- closes https://github.com/assimp/assimp/issues/6024
+---
+ code/AssetLib/ASE/ASEParser.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/code/AssetLib/ASE/ASEParser.cpp b/code/AssetLib/ASE/ASEParser.cpp
+index c43eb42..f697861 100644
+--- a/code/AssetLib/ASE/ASEParser.cpp
+++ b/code/AssetLib/ASE/ASEParser.cpp
+@@ -1382,8 +1382,8 @@ void Parser::ParseLV4MeshBonesVertices(unsigned int iNumVertices, ASE::Mesh &mes
+             if (TokenMatch(filePtr, "MESH_BONE_VERTEX", 16)) {
+                 // read the vertex index
+                 unsigned int iIndex = strtoul10(filePtr, &filePtr);
+-                if (iIndex >= mesh.mPositions.size()) {
+-                    iIndex = (unsigned int)mesh.mPositions.size() - 1;
+                if (iIndex >= mesh.mBoneVertices.size()) {
+                     iIndex = (unsigned int)mesh.mBoneVertices.size() - 1;
+                     LogWarning("Bone vertex index is out of bounds. Using the largest valid "
+                                "bone vertex index instead");
+                 }
+-- 
+2.41.0
+
--- a/CVE-2025-3160.patch
+++ b/CVE-2025-3160.patch
@ -0,0 +1,29 @@
+From a0993658f40d8e13ff5823990c30b43c82a5daf0 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Thu, 13 Mar 2025 10:24:20 +0100
+Subject: [PATCH] Bugfix: Fix possible nullptr dereferencing
+
+- closes https://github.com/assimp/assimp/issues/6025
+---
+ code/Common/SceneCombiner.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/code/Common/SceneCombiner.cpp b/code/Common/SceneCombiner.cpp
+index 0188f5d..4a9c6eb 100644
+--- a/code/Common/SceneCombiner.cpp
+++ b/code/Common/SceneCombiner.cpp
+@@ -95,6 +95,11 @@ inline void PrefixString(aiString &string, const char *prefix, unsigned int len)
+ // ------------------------------------------------------------------------------------------------
+ // Add node identifiers to a hashing set
+ void SceneCombiner::AddNodeHashes(aiNode *node, std::set<unsigned int> &hashes) {
+    if (node == nullptr) {
+         ASSIMP_LOG_VERBOSE_DEBUG("Pointer to aiNode is nullptr.");
+         return;
+     }
+    
+     // Add node name to hashing set if it is non-empty - empty nodes are allowed
+     // and they can't have any anims assigned so its absolutely safe to duplicate them.
+     if (node->mName.length) {
+-- 
+2.41.0
+
--- a/assimp.spec
+++ b/assimp.spec
@ -1,6 +1,6 @@
 Name:          assimp
 Version:       5.3.1
-Release:       8
+Release:       9
 Summary:       Library to load and process various 3D model formats into applications.
 License:       BSD and MIT and LGPL-2.1 and LGPL-2.0 and GPL-2.0 and LGPL-3.0 and GPL-3.0
 URL:           http://www.assimp.org/
@ -23,6 +23,8 @@ Patch08:       CVE-2024-53425.patch
 Patch09:       CVE-2025-2151.patch
 Patch10:       CVE-2025-3015.patch
 Patch11:       CVE-2025-3016.patch
+Patch12:       CVE-2025-3159.patch
+Patch13:       CVE-2025-3160.patch

 BuildRequires: gcc-c++ boost-devel cmake dos2unix irrlicht-devel irrXML-devel
 BuildRequires: doxygen poly2tri-devel gtest-devel pkgconfig(zziplib)
@ -102,6 +104,12 @@ install -m 0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyass
 %{python3_sitelib}/pyassimp

 %changelog
+* Fri Apr 4 2025 changtao <changtao@kylinos.cn> - 5.3.1-9
+- Type:CVE
+- CVE:CVE-2025-3160 CVE-2025-3159
+- SUG:NA
+- DESC:fix CVE-2025-3160 CVE-2025-3159
+
 * Tue Apr 1 2025 changtao <changtao@kylinos.cn> - 5.3.1-8
 - Type:CVE
 - CVE:CVE-2025-3015 CVE-2025-3016