From 5cacab3fd79d9cc2c6df46b7a7eb9e696d7ae7e9 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Sun, 14 Dec 2025 20:03:32 +0100 Subject: [PATCH 1/3] Backport fix for CVE-2025-11277 --- ...918f7148fbcd3d05cc6573dae7859975a895.patch | 24 +++++++++++++++++++ assimp.spec | 8 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 0978918f7148fbcd3d05cc6573dae7859975a895.patch diff --git a/0978918f7148fbcd3d05cc6573dae7859975a895.patch b/0978918f7148fbcd3d05cc6573dae7859975a895.patch new file mode 100644 index 0000000..b5c1569 --- /dev/null +++ b/0978918f7148fbcd3d05cc6573dae7859975a895.patch @@ -0,0 +1,24 @@ +diff -rupN --no-dereference assimp-6.0.2/code/AssetLib/Q3D/Q3DLoader.cpp assimp-6.0.2-new/code/AssetLib/Q3D/Q3DLoader.cpp +--- assimp-6.0.2/code/AssetLib/Q3D/Q3DLoader.cpp 2025-06-08 21:50:39.000000000 +0200 ++++ assimp-6.0.2-new/code/AssetLib/Q3D/Q3DLoader.cpp 2025-12-14 20:02:55.733930684 +0100 +@@ -55,6 +55,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE + #include + #include + ++#include ++ + namespace Assimp { + + static constexpr aiImporterDesc desc = { +@@ -309,6 +311,11 @@ void Q3DImporter::InternReadFile(const s + throw DeadlyImportError("Quick3D: Invalid texture. Width or height is zero"); + } + ++ const unsigned int uint_max = std::numeric_limits::max(); ++ if (tex->mWidth > (uint_max / tex->mHeight)) { ++ throw DeadlyImportError("Quick3D: Texture dimensions are too large, resulting in overflow."); ++ } ++ + unsigned int mul = tex->mWidth * tex->mHeight; + aiTexel *begin = tex->pcData = new aiTexel[mul]; + aiTexel *const end = &begin[mul - 1] + 1; diff --git a/assimp.spec b/assimp.spec index 9424c0a..8bfde61 100644 --- a/assimp.spec +++ b/assimp.spec @@ -2,7 +2,7 @@ Name: assimp Version: 6.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Library to import various 3D model formats into applications # Assimp is BSD @@ -33,6 +33,9 @@ Patch2: %{name}-nozlib.patch Patch3: %{name}-docs.patch # Enable ctest Patch4: %{name}-tests.patch +# Backport fix for CVE-2025-11277 +Patch5: https://github.com/assimp/assimp/commit/0978918f7148fbcd3d05cc6573dae7859975a895.patch + BuildRequires: boost-devel BuildRequires: cmake @@ -170,6 +173,9 @@ install -m0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyassi %changelog +* Sun Dec 14 2025 Sandro Mani - 6.0.2-4 +- Backport fix for CVE-2025-11277 + * Fri Sep 19 2025 Python Maint - 6.0.2-3 - Rebuilt for Python 3.14.0rc3 bytecode From d70b66d8fedbc44fa619ac04ea737cf2ee32def2 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Sat, 27 Dec 2025 19:11:41 +0100 Subject: [PATCH 2/3] PyAssimp: Re-add 'aiProcess_Triangulate' (#2423174) --- assimp.spec | 7 ++++- ...d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch | 30 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 dd98d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch diff --git a/assimp.spec b/assimp.spec index 8bfde61..6594665 100644 --- a/assimp.spec +++ b/assimp.spec @@ -2,7 +2,7 @@ Name: assimp Version: 6.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Library to import various 3D model formats into applications # Assimp is BSD @@ -35,6 +35,8 @@ Patch3: %{name}-docs.patch Patch4: %{name}-tests.patch # Backport fix for CVE-2025-11277 Patch5: https://github.com/assimp/assimp/commit/0978918f7148fbcd3d05cc6573dae7859975a895.patch +# PyAssimp: Re-add 'aiProcess_Triangulate' (#2423174) +Patch6: https://github.com/assimp/assimp/commit/dd98d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch BuildRequires: boost-devel @@ -173,6 +175,9 @@ install -m0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyassi %changelog +* Sat Dec 27 2025 Sandro Mani - 6.0.2-5 +- PyAssimp: Re-add 'aiProcess_Triangulate' (#2423174) + * Sun Dec 14 2025 Sandro Mani - 6.0.2-4 - Backport fix for CVE-2025-11277 diff --git a/dd98d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch b/dd98d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch new file mode 100644 index 0000000..c29e9fb --- /dev/null +++ b/dd98d4aea3d9d2b3544540ea44eeb15c3616dbb7.patch @@ -0,0 +1,30 @@ +diff -rupN --no-dereference assimp-6.0.2/port/PyAssimp/pyassimp/postprocess.py assimp-6.0.2-new/port/PyAssimp/pyassimp/postprocess.py +--- assimp-6.0.2/port/PyAssimp/pyassimp/postprocess.py 2025-06-08 21:50:39.000000000 +0200 ++++ assimp-6.0.2-new/port/PyAssimp/pyassimp/postprocess.py 2025-12-27 19:11:08.846657557 +0100 +@@ -36,13 +36,21 @@ aiProcess_JoinIdenticalVertices = 0x2 + # + aiProcess_MakeLeftHanded = 0x4 + +-##
Triangulates all faces of all meshes. ++##
Triangulates all faces of all meshes. + # + # By default the imported mesh data might contain faces with more than 3 +-# indices. For rendering you'll usually want all faces to be triangles. +-# This post processing stepaiProcess_ForceGenNormals +-##
Removes some parts of the data structure (animations, materials, +-# light sources, cameras, textures, vertex components). ++# indices. For rendering you'll usually want all faces to be triangles. ++# This post processing step splits up faces with more than 3 indices into ++# triangles. Line and point primitives are *not* modified! If you want ++# 'triangles only' with no other kinds of primitives, try the following ++# solution: ++# - Specify both #aiProcess_Triangulate and #aiProcess_SortByPType ++# - Ignore all point and line meshes when you process assimp's output ++# ++aiProcess_Triangulate = 0x8 ++ ++#
Removes some parts of the data structure (animations, materials, ++# light sources, cameras, textures, vertex components). + # + # The components to be removed are specified in a separate + # configuration option, #AI_CONFIG_PP_RVC_FLAGS. This is quite useful From 9f9f1c36f208f5e69dd03c032b99ad6a261d5880 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 16 Jan 2026 04:03:06 +0000 Subject: [PATCH 3/3] Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild --- assimp.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/assimp.spec b/assimp.spec index 6594665..c5adec9 100644 --- a/assimp.spec +++ b/assimp.spec @@ -2,7 +2,7 @@ Name: assimp Version: 6.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Library to import various 3D model formats into applications # Assimp is BSD @@ -175,6 +175,9 @@ install -m0644 port/PyAssimp/pyassimp/*.py %{buildroot}%{python3_sitelib}/pyassi %changelog +* Fri Jan 16 2026 Fedora Release Engineering - 6.0.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild + * Sat Dec 27 2025 Sandro Mani - 6.0.2-5 - PyAssimp: Re-add 'aiProcess_Triangulate' (#2423174)