CVE-2021-45948

NameCVE-2021-45948
DescriptionOpen Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
assimp (PTS)stretch3.3.1~dfsg-4fixed
buster4.1.0~dfsg-5vulnerable
bullseye5.0.1~ds0-2vulnerable
bookworm5.1.5~ds0-1fixed
sid5.1.6~ds0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
assimpsourcestretch(not affected)
assimpsource(unstable)5.1.1~ds0-1

Notes

[stretch] - assimp <not-affected> (M3D format support not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml
https://github.com/assimp/assimp/pull/4146
https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0)
Introduced by: https://github.com/assimp/assimp/commit/a622e109a0739435e3e2f05bfbedba0e8385282d (v5.1.0.rc1)

Search for package or bug name: Reporting problems