Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package assimp for openSUSE:Factory checked in at 2026-06-27 18:03:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/assimp (Old) and /work/SRC/openSUSE:Factory/.assimp.new.11887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "assimp" Sat Jun 27 18:03:48 2026 rev:39 rq:1361720 version:6.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/assimp/assimp.changes 2026-06-03 20:21:24.818677420 +0200 +++ /work/SRC/openSUSE:Factory/.assimp.new.11887/assimp.changes 2026-06-27 18:04:18.840381813 +0200 @@ -1,0 +2,14 @@ +Thu Jun 25 06:31:01 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-10232: heap use-after-free in aiNode::~aiNode due to invalid node tree when processing malformed ASE files [bsc#1267037] + * assimp-CVE-2026-10232.patch + +------------------------------------------------------------------- +Wed Jun 24 10:51:38 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-10200: This affects the function glTFCommon:CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in a heap-based buffer overflow [bsc#1266999] + * assimp-CVE-2026-10200.patch + +------------------------------------------------------------------- New: ---- assimp-CVE-2026-10200.patch assimp-CVE-2026-10232.patch ----------(New B)---------- New: CVE-2026-10200: This affects the function glTFCommon:CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in a heap-based buffer overflow [bsc#1266999] * assimp-CVE-2026-10200.patch New: CVE-2026-10232: heap use-after-free in aiNode::~aiNode due to invalid node tree when processing malformed ASE files [bsc#1267037] * assimp-CVE-2026-10232.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ assimp.spec ++++++ --- /var/tmp/diff_new_pack.bKz0Ln/_old 2026-06-27 18:04:22.196494318 +0200 +++ /var/tmp/diff_new_pack.bKz0Ln/_new 2026-06-27 18:04:22.208494721 +0200 @@ -32,6 +32,10 @@ Patch2: assimp-CVE-2026-10199.patch # CVE-2026-10197: Affected is the function glTF2Importer:ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp. manipulation results in null pointer dereference [bsc#1266996] Patch3: assimp-CVE-2026-10197.patch +# CVE-2026-10200: This affects the function glTFCommon:CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in a heap-based buffer overflow [bsc#1266999] +Patch4: assimp-CVE-2026-10200.patch +# CVE-2026-10232: heap use-after-free in aiNode::~aiNode due to invalid node tree when processing malformed ASE files [bsc#1267037] +Patch5: assimp-CVE-2026-10232.patch BuildRequires: cmake >= 3.22 BuildRequires: gcc-c++ BuildRequires: pkgconfig ++++++ assimp-CVE-2026-10200.patch ++++++ >From 03d2de4d5b553e0562b5f979797f9981ab8c60f9 Mon Sep 17 00:00:00 2001 From: Jason Li <[email protected]> Date: Wed, 3 Jun 2026 15:21:26 +0000 Subject: [PATCH] Validate inverseBindMatrices in glTF 2.0 Add additional validation when parsing glTF assets, checking accessor associated with skin inverseBindMatrices for contraints specified by the glTF spec. This includes asseting a 4x4 matrix type, floating-point component type, count < number of joints, and last row is [0.0, 0.0, 0.0, 1.0]. Fixes #6612 Signed-off-by: Jason Li <[email protected]> --- code/AssetLib/glTF2/glTF2Asset.inl | 32 ++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/code/AssetLib/glTF2/glTF2Asset.inl b/code/AssetLib/glTF2/glTF2Asset.inl index 618a973bb5..6c4209ba8e 100644 --- a/code/AssetLib/glTF2/glTF2Asset.inl +++ b/code/AssetLib/glTF2/glTF2Asset.inl @@ -1823,10 +1823,6 @@ inline void Scene::Read(Value &obj, Asset &r) { } inline void Skin::Read(Value &obj, Asset &r) { - if (Value *matrices = FindUInt(obj, "inverseBindMatrices")) { - inverseBindMatrices = r.accessors.Retrieve(matrices->GetUint()); - } - if (Value *joints = FindArray(obj, "joints")) { for (unsigned i = 0; i < joints->Size(); ++i) { if (!(*joints)[i].IsUint()) continue; @@ -1836,6 +1832,34 @@ inline void Skin::Read(Value &obj, Asset &r) { } } } + + if (Value *idx = FindUInt(obj, "inverseBindMatrices")) { + inverseBindMatrices = r.accessors.Retrieve(idx->GetUint()); + + // Additional accessor validation for inverseBindMatrices according to https://registry.khronos.org/glTF/specs/2.0/glTF-2.0.html#skins-overview + if (inverseBindMatrices->type != AttribType::MAT4) { + throw DeadlyImportError("GLTF: inverseBindMatrices accessor must have MAT4 type"); + } + if (inverseBindMatrices->componentType != ComponentType_FLOAT) { + throw DeadlyImportError("GLTF: inverseBindMatrices accessor must have FLOAT componentType"); + } + if (inverseBindMatrices->count < jointNames.size()) { + throw DeadlyImportError("GLTF: inverseBindMatrices accessor count ", + inverseBindMatrices->count, " is less than the number of joints ", jointNames.size()); + } + // Validate that the fourth row of each matrix is [0, 0, 0, 1] + mat4 *matrices = nullptr; + inverseBindMatrices->ExtractData(matrices, nullptr); + for (size_t i = 0; i < inverseBindMatrices->count; ++i) { + const float *m = matrices[i]; + if (m[3] != 0.0f || m[7] != 0.0f || m[11] != 0.0f || m[15] != 1.0f) { + delete[] matrices; + throw DeadlyImportError("GLTF: inverseBindMatrices[", i, + "] fourth row must be [0, 0, 0, 1]"); + } + } + delete[] matrices; + } } inline void Animation::Read(Value &obj, Asset &r) { ++++++ assimp-CVE-2026-10232.patch ++++++ >From bd1d67ec0ef1aacce1564dad633fca68ece245d5 Mon Sep 17 00:00:00 2001 From: Jason Li <[email protected]> Date: Tue, 9 Jun 2026 11:29:02 +0000 Subject: [PATCH 1/2] Fix ASE .Target node addition When adding a new .Target node, shift performed to existing mChildren would overwrite entries before they were copied. This results in mChildren duplicating or losing elements. This change porperly shifts the nodes in the array. Fixes #6617 Signed-off-by: Jason Li <[email protected]> --- code/AssetLib/ASE/ASELoader.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp index 28f107a1db..012b9f9467 100644 --- a/code/AssetLib/ASE/ASELoader.cpp +++ b/code/AssetLib/ASE/ASELoader.cpp @@ -573,8 +573,8 @@ void ASEImporter::AddNodes(const std::vector<BaseNode *> &nodes, aiNode *pcParen nd->mParent = node; // The .Target node is always the first child node - for (unsigned int m = 0; m < node->mNumChildren; ++m) - node->mChildren[m + 1] = node->mChildren[m]; + for (unsigned int m = node->mNumChildren; m > 0; --m) + node->mChildren[m] = node->mChildren[m - 1]; node->mChildren[0] = nd; node->mNumChildren++; >From 559e8b9f1aa21d485b2b1ce03c55edd6899a4ee0 Mon Sep 17 00:00:00 2001 From: Jason Li <[email protected]> Date: Tue, 9 Jun 2026 11:32:17 +0000 Subject: [PATCH 2/2] Delete dummy mesh before discarding in ASEImporter Properly delete meshes to be skipped when creating output mesh list. mColors[2] is also used as a temporary pointer that gets cleaned up later, so deletion is defered. Signed-off-by: Jason Li <[email protected]> --- code/AssetLib/ASE/ASELoader.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code/AssetLib/ASE/ASELoader.cpp b/code/AssetLib/ASE/ASELoader.cpp index 012b9f9467..7f50dc5fc7 100644 --- a/code/AssetLib/ASE/ASELoader.cpp +++ b/code/AssetLib/ASE/ASELoader.cpp @@ -189,6 +189,8 @@ void ASEImporter::InternReadFile(const std::string &pFile, aiMesh **pp = pScene->mMeshes = new aiMesh *[pScene->mNumMeshes]; for (std::vector<aiMesh *>::const_iterator i = avOutMeshes.begin(); i != avOutMeshes.end(); ++i) { if (!(*i)->mNumFaces) { + (*i)->mColors[2] = nullptr; + delete *i; continue; } *pp++ = *i;
