Bug 33531 - assimp new security issue CVE-2024-40724
Summary: assimp new security issue CVE-2024-40724
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lists.opensuse.org/archives/l...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 09:57 CEST by Nicolas Salguero
Modified: 2024-09-13 19:16 CEST (History)
3 users (show)

See Also:
Source RPM: assimp-5.2.2-4.mga9.src.rpm
CVE: CVE-2024-40724
Status comment: Fix: https://github.com/assimp/assimp/commit/ddb74c2bbdee1565dda667e85f0c82a0588c8053


Attachments

Description Nicolas Salguero 2024-09-06 09:57:30 CEST
openSUSE has issued an advisory on August 27:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GRHXRZKHWQMKKB7V55J2TDPZAKJSN2BF/
Nicolas Salguero 2024-09-06 09:58:06 CEST

CVE: (none) => CVE-2024-40724
Status comment: (none) => Fix: https://github.com/assimp/assimp/commit/ddb74c2bbdee1565dda667e85f0c82a0588c8053
Source RPM: (none) => assimp-5.2.2-4.mga9.src.rpm

Comment 1 Marja Van Waes 2024-09-06 21:27:00 CEST
@ daviddavid,

There is no registered maintainer for this package, but you are the de facto maintainer, so I assigned this issue to you.
If you don't agree, then please assign to all packagers collectively or back to bugsquad.

CC: (none) => marja11
URL: (none) => https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GRHXRZKHWQMKKB7V55J2TDPZAKJSN2BF/
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2024-09-11 17:18:24 CEST
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
assimp-5.2.2-4.1.mga9
libassimp-devel-5.2.2-4.1.mga9
libassimp5-5.2.2-4.1.mga9
lib64assimp-devel-5.2.2-4.1.mga9
lib64assimp5-5.2.2-4.1.mga9

From SRPMS:
assimp-5.2.2-4.1.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

katnatek 2024-09-11 19:19:00 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-09-12 05:02:03 CEST
 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing assimp-5.2.2-4.1.mga9.x86_64.rpm lib64assimp5-5.2.2-4.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: lib64assimp5          ##################################################################################################
      2/2: assimp                ##################################################################################################
      1/2: removing assimp-5.2.2-4.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64assimp5-5.2.2-4.mga9.x86_64
                                 ##################################################################################################


urpmq --whatrequires lib64assimp5|uniq
assimp
f3d
lib64assimp-devel
lib64assimp5
lib64qt5qt3d-devel
pioneerspacesim
qt3d5
qt3d6
qtquick3d5
qtquick3d6

Use pioneerspacesim to test

strace pioneer shows
openat(AT_FDCWD, "/lib64/libassimp.so.5", O_RDONLY|O_CLOEXEC) = 3

The game start whitoout issues

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm
CVE: CVE-2024-40724 => (none)

katnatek 2024-09-12 05:02:37 CEST

CVE: (none) => CVE-2024-40724

Comment 4 Thomas Andrews 2024-09-13 14:03:38 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-09-13 19:16:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0300.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.