Mageia alert MGASA-2026-0170 (assimp)
| From: | Mageia Updates <updates-announce@ml.mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2026-0170: Updated assimp packages fix security vulnerabilities | |
| Date: | Tue, 02 Jun 2026 07:23:47 +0200 | |
| Message-ID: | <20260602052347.A5C229FCA8@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2026-0170 - Updated assimp packages fix security vulnerabilities Publication date: 02 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0170.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-2750, CVE-2025-2751, CVE-2025-2757, CVE-2025-3158, CVE-2025-3548, CVE-2025-11277, CVE-2025-70067 Description: CVE-2025-2750,- A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-2757, A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function AI_MD5_PARSE_STRING_IN_QUOTATION of the file code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The manipulation of the argument data leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. CVE-2025-3158, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. Affected by this issue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVE-2025-3548, A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp up to 5.4.3. This issue affects the function aiString::Set in the library include/assimp/types.h of the component File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. CVE-2025-11277, A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. CVE-2025-70067, Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation References: - https://bugs.mageia.org/show_bug.cgi?id=34439 - https://lists.fedoraproject.org/archives/list/package-ann... - https://lists.opensuse.org/archives/list/security-announc... - https://www.cve.org/CVERecord?id=CVE-2025-2750 - https://www.cve.org/CVERecord?id=CVE-2025-2751 - https://www.cve.org/CVERecord?id=CVE-2025-2757 - https://www.cve.org/CVERecord?id=CVE-2025-3158 - https://www.cve.org/CVERecord?id=CVE-2025-3548 - https://www.cve.org/CVERecord?id=CVE-2025-11277 - https://www.cve.org/CVERecord?id=CVE-2025-70067 SRPMS: - 9/core/assimp-5.2.5-1.mga9