Your message dated Wed, 21 Jan 2026 16:34:08 +0000
with message-id <[email protected]>
and subject line Bug#1106591: fixed in assimp 6.0.3+ds-1
has caused the Debian Bug report #1106591,
regarding assimp: CVE-2025-5165
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106591: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106591
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: assimp
Version: 5.4.3+ds-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/assimp/assimp/issues/6167
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for assimp.
CVE-2025-5165[0]:
| A vulnerability was found in Open Asset Import Library Assimp 5.4.3
| and classified as problematic. This issue affects the function
| MDCImporter::ValidateSurfaceHeader of the file
| assimp/code/AssetLib/MDC/MDCLoader.cpp. The manipulation of the
| argument pcSurface2 leads to out-of-bounds read. Attacking locally
| is a requirement. The exploit has been disclosed to the public and
| may be used. The project decided to collect all Fuzzer bugs in a
| main-issue to address them in the future.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5165
https://www.cve.org/CVERecord?id=CVE-2025-5165
[1] https://github.com/assimp/assimp/issues/6167
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: assimp
Source-Version: 6.0.3+ds-1
Done: IOhannes m zmölnig (Debian/GNU) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
assimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
IOhannes m zmölnig (Debian/GNU) <[email protected]> (supplier of updated
assimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Jan 2026 17:20:54 +0100
Source: assimp
Architecture: source
Version: 6.0.3+ds-1
Distribution: unstable
Urgency: medium
Maintainer: IOhannes m zmölnig (Debian/GNU) <[email protected]>
Changed-By: IOhannes m zmölnig (Debian/GNU) <[email protected]>
Closes: 1103444 1106591 1106592 1107477 1117693
Changes:
assimp (6.0.3+ds-1) unstable; urgency=medium
.
* New upstream version 6.0.3+ds
+ Closes: #1103444 (CVE-2025-3549)
+ Closes: #1106591 (CVE-2025-5165)
+ Closes: #1106592 (CVE-2025-5166)
+ Closes: #1107477
+ Closes: #1117693 (CVE-2025-11277)
* Update patches
+ Drop patches applied upstream
+ Refresh patches
* Fix doxygen patch
+ Fix artifacts directory
+ Fix out-of-tree building of documentation
* Drop obsolete Rules-Requires-Root stanza.
* Update copyright information
+ Add license for new file
+ Bump copyright dates
+ Re-generate d/copyright_hints
* Update d/watch to version 5
Checksums-Sha1:
8983a6fa39deba143e2e8ca695f398560867b88b 2829 assimp_6.0.3+ds-1.dsc
b4d215c8ab093193084dbe2c6b58715d999aebee 82928100 assimp_6.0.3+ds.orig.tar.xz
93e1d273a4b06ef9e5c6869fdb5dd9491c41a942 38700 assimp_6.0.3+ds-1.debian.tar.xz
0233fefd1a13bd2affeddb8d989273e2e6f2df6e 91595872 assimp_6.0.3+ds-1.git.tar.xz
9cceff1e8f5159f636c17d094d791ce9162bce7a 17302
assimp_6.0.3+ds-1_source.buildinfo
Checksums-Sha256:
b329ca662c86090085b5694610e870a52b6afaab3540cfae7a19abe0ce196771 2829
assimp_6.0.3+ds-1.dsc
90aa89282e32db2a692b81757c18e4d22632ffdf573179f02fd9c2638472fc65 82928100
assimp_6.0.3+ds.orig.tar.xz
074d79492b787b774833ce4562a6f29475a371ecb174c6fa71f788fc74d4232a 38700
assimp_6.0.3+ds-1.debian.tar.xz
e4226bb09d471f7c0622807120c66e94d79cff68c97f4c062237922ebf8b9d90 91595872
assimp_6.0.3+ds-1.git.tar.xz
7947aacde838de079503d4910e6a961e06eb363cc67b856493c6746f2b12e0ab 17302
assimp_6.0.3+ds-1_source.buildinfo
Files:
08b39e3bda9bed3b7aab84057d97b9a2 2829 graphics optional assimp_6.0.3+ds-1.dsc
5f3ef925992ac0367c847d3610e53cb8 82928100 graphics optional
assimp_6.0.3+ds.orig.tar.xz
d15e840be8d00ccc2e8b90656da5f4de 38700 graphics optional
assimp_6.0.3+ds-1.debian.tar.xz
a87a7707b2802486caa6921ce59a4841 91595872 graphics None
assimp_6.0.3+ds-1.git.tar.xz
b5d2af27bbf20aeccbc5166ca01e40a2 17302 graphics optional
assimp_6.0.3+ds-1_source.buildinfo
Git-Tag-Info: tag=42bb1d674857c36d494c087dff4c23a2b458fcca
fp=7405e745574809734800156db65019c47f7a36f8
Git-Tag-Tagger: IOhannes m zmölnig (Debian/GNU) <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmlw/ckACgkQYG0ITkaD
wHk0LA/+O7BsOTvbVCFEsEWu2kabzyOPmmUdVv7PK2DZRe5iX5lfwnvg7z/Mr5qI
qR8qTiAE4/OKy3rAY2z8feT1UGAlOD4Xxt39XeyJ7X8b9QdAuTPS/09qigdy5fR+
6e3DxmcYv4p9pgDdlacUX4CLGq2MHhhy7tSFOwWBetI5ehUv8PDSpS6v4tsUecbD
9Gwvs/MlmiFPZbDduN4jaCld80gcTw12r3/Sf3AdDgFqM0xZy+qwl4AvAj3U4ODw
R37pCkOaS3Zc/wuFS0F+OS8ZKTBiUkBCnX6bR6wi15V+A5bhNM3E1YAfPQkbFMT4
7Wd0G+tF/weyjzS7d7nRFc7rG3nUYG9/xRpVoZc2E0BkkBZZYXz+RypvHmD5pjBM
PqyDetxBJQdvMMXZsGiA8ANKJ1iN+SnBiVPro6IbVhXh+347J+nADkx/L4fbjhXf
2hXxddlmmlMxPVvkrYvwR7GOCRWbbKs6RctX7Z0Q1Uk+SlHQaEliXMbPUUnklQuZ
d2FdnFZ+dKomSqnl9uQFEpXy+g+NBr2aYTiC+Bk37UKjlmwrHUzZw/HIfB6Pt4Q3
mcVEDLxU1Wx0zI/gF4Xy3DgHKGh0UDJFvvto5z6v8BBNaMENFWyl6Qe9IfJ7gn+M
uypAmwnnFrXcFiLKlKKQbYfTaPujizC3z/ny9qSvm3rb6OeM3BQ=
=T5V0
-----END PGP SIGNATURE-----
pgp5Xg7irehXc.pgp
Description: PGP signature
--- End Message ---
