Skip to content

Fixes CVE-2025-2757: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION (closes #6019) #6223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 8, 2025
Merged

Fixes CVE-2025-2757: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION (closes #6019) #6223

merged 2 commits into from
Jun 8, 2025

Conversation

VinzSpring
Copy link
Contributor

@VinzSpring VinzSpring commented Jun 5, 2025
edited
Loading

Closes #6019
description:

  • heap buffer overflow in AI_MD5_PARSE_STRING_IN_QUOTATION. An attacker could potentially exploit the vulnerability to cause a remote code execution, if they can trick the victim into running assimp on a malformed MD5 file

fix:

  • truncated the string to the maximum supported length, mitigating overflow

fuzz results after fix:

sh /home/ubuntu/assimp/test_exploits/CVE-2025-2757.sh
-- Shared libraries disabled
-- GCC13 detected disabling "-Wdangling-reference" in Cpp files as it appears to be a false positive
-- compiling zlib from sources
-- GCC13 detected disabling "-Warray-bounds and -Wstringop-overflow" for AssetLib/MDL/MDLLoader.cpp as it appears to be a false positive
-- VRML disabled
-- tinyusdz disabled
-- Enabled importer formats: AMF 3DS AC ASE ASSBIN B3D BVH COLLADA DXF CSM HMP IRRMESH IQM IRR LWO LWS MD2 MD3 MD5 MDC MDL NFF NDO OFF OBJ OGRE OPENGEX PLY MS3D COB BLEND IFC XGL FBX Q3D Q3BSP RAW SIB SMD STL TERRAGEN 3D X X3D GLTF 3MF MMD
-- Disabled importer formats: USD
-- Enabled exporter formats: OBJ OPENGEX PLY 3DS ASSBIN ASSXML COLLADA FBX STL X X3D GLTF 3MF PBRT ASSJSON STEP
-- Disabled exporter formats:
-- Treating all warnings as errors (for assimp library only)
-- Configuring done (0.0s)
-- Generating done (0.0s)
-- Build files have been written to: /home/ubuntu/assimp
[2/2] Linking CXX static library lib/libassimp.a
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3917044551
INFO: Loaded 1 modules (7 inline 8-bit counters): 7 [0x6505c7ea5a30, 0x6505c7ea5a37),
INFO: Loaded 1 PC tables (7 PCs): 7 [0x6505c7ea5a38,0x6505c7ea5aa8),
./assimp_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./crash
Executed ./crash in 4 ms
NOTE: fuzzing was not performed, you have only

  •   executed the target code on a fixed set of inputs.*

Fixes CVE-2025-2757: Heap-based Buffer Overflow in AI_MD5_PARSE_STRIN…
cfc6775 
…G_IN_QUOTATION (closes assimp#6019)

description:
- heap buffer overflow in AI_MD5_PARSE_STRING_IN_QUOTATION. An attacker could potentially exploit the vulnerability to cause a remote code execution,
  if they can trick the victim into running assimp on a malformed MD5 file

fix:
- truncated the string to the maximum supported length, mitigating overflow
@tellypresence
Copy link
Collaborator

Please add text "Closes #6019" in description of PR so github will associate PR with issue

@tellypresence tellypresence added Bug Global flag to mark a deviation from expected behaviour Fuzzer Bugs found by a fuzzer MD5 Bugs related to the MD5 format Security Risk Bugs that could potentially be security vulnerabilities labels Jun 5, 2025
kimkulling
kimkulling approved these changes Jun 8, 2025
View reviewed changes
Copy link
Member

@kimkulling kimkulling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine, thanks for the help.

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jun 8, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@kimkulling kimkulling merged commit 5be3367 into assimp:master Jun 8, 2025
13 checks passed
@kimkulling
Copy link
Member

Merged, thanks a lot for your contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kimkulling kimkulling kimkulling approved these changes

Assignees
No one assigned
Labels
Bug Global flag to mark a deviation from expected behaviour Fuzzer Bugs found by a fuzzer MD5 Bugs related to the MD5 format Security Risk Bugs that could potentially be security vulnerabilities
Projects
The Asset-Importer-Lib DevOps Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION
3 participants
@VinzSpring @tellypresence @kimkulling