openSUSE Security Update: Security update for assimp
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2025:0113-1
Rating:             important
References:         #1232322 #1232323 #1232324 #1233633 #1239220 
                    #1239916 #1239920 #1240412 #1240413 
Cross-References:   CVE-2024-48423 CVE-2024-48424 CVE-2024-48425
                    CVE-2024-53425 CVE-2025-2151 CVE-2025-2591
                    CVE-2025-2592 CVE-2025-3015 CVE-2025-3016
                   
CVSS scores:
                    CVE-2024-48423 (SUSE): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
                    CVE-2024-48424 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2024-48425 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2024-53425 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2025-2151 (SUSE): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
                    CVE-2025-2591 (SUSE): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
                    CVE-2025-2592 (SUSE): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes 9 vulnerabilities is now available.

Description:

   This update for assimp fixes the following issues:

   - CVE-2024-48425: Fixed SEGV in
     Assimp:SplitLargeMeshesProcess_Triangle:UpdateNode (boo#1232324)
   - CVE-2024-48423: Fixed a arbitrary code execution via
     CallbackToLogRedirector() (boo#1232322)
   - CVE-2024-48424: Fixed a heap-buffer-overflow in
     OpenDDLParser:parseStructure() (boo#1232323)
   - CVE-2024-53425: Fixed a heap-based buffer overflow in
     SkipSpacesAndLineEnd() (boo#1233633)
   - CVE-2025-2592: Fixed a heap-based buffer overflow in
     Assimp::CSMImporter::InternReadFile() (boo#1239916)
   - CVE-2025-3015: Fixed out-of-bounds read caused by manipulation of the
     argument mIndices (boo#1240412)
   - CVE-2025-3016: Fixed a denial of service caused by manipulation of the
     argument mWidth/mHeight (boo#1240413)
   - CVE-2025-2591: Fixed a denial of service in
     code/AssetLib/MDL/MDLLoader.cpp (boo#1239920)
   - CVE-2025-2151: Fixed a stack-based buffer overflow in
     Assimp::GetNextLine() (boo#1239220)

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2025-113=1

Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 ppc64le s390x x86_64):

      assimp-devel-5.3.1-bp156.3.9.1
      libassimp5-5.3.1-bp156.3.9.1

References:

   https://www.suse.com/security/cve/CVE-2024-48423.html
   https://www.suse.com/security/cve/CVE-2024-48424.html
   https://www.suse.com/security/cve/CVE-2024-48425.html
   https://www.suse.com/security/cve/CVE-2024-53425.html
   https://www.suse.com/security/cve/CVE-2025-2151.html
   https://www.suse.com/security/cve/CVE-2025-2591.html
   https://www.suse.com/security/cve/CVE-2025-2592.html
   https://www.suse.com/security/cve/CVE-2025-3015.html
   https://www.suse.com/security/cve/CVE-2025-3016.html
   https://bugzilla.suse.com/1232322
   https://bugzilla.suse.com/1232323
   https://bugzilla.suse.com/1232324
   https://bugzilla.suse.com/1233633
   https://bugzilla.suse.com/1239220
   https://bugzilla.suse.com/1239916
   https://bugzilla.suse.com/1239920
   https://bugzilla.suse.com/1240412
   https://bugzilla.suse.com/1240413