CVE-2021-45948

NameCVE-2021-45948
DescriptionOpen Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)jessie3.0~dfsg-3vulnerable
stretch3.3.1~dfsg-4fixed
buster4.1.0~dfsg-5fixed
bullseye5.0.1~ds0-2fixed
bookworm5.2.5~ds0-1fixed
sid, trixie5.4.3+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsourcejessie(unfixed)end-of-life
assimpsourcestretch(not affected)
assimpsourcebuster(not affected)
assimpsourcebullseye(not affected)
assimpsource(unstable)5.1.1~ds0-1

Notes

[bullseye] - assimp <not-affected> (Vulnerable code not present)
[buster] - assimp <not-affected> (Vulnerable code not present)
[stretch] - assimp <not-affected> (M3D format support not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml
https://github.com/assimp/assimp/pull/4146
https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0)
Introduced by: https://github.com/assimp/assimp/commit/a622e109a0739435e3e2f05bfbedba0e8385282d (v5.1.0.rc1)

Search for package or bug name: Reporting problems