Updated assimp packages fix security vulnerabilities
Publication date: 02 Jun 2026Modification date: 02 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-2750 , CVE-2025-2751 , CVE-2025-2757 , CVE-2025-3158 , CVE-2025-3548 , CVE-2025-11277 , CVE-2025-70067
Description
CVE-2025-2750,- A vulnerability, which was classified as critical, was
found in Open Asset Import Library Assimp 5.4.3. This affects the
function Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation leads to out-of-bounds write. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and
may be used.
CVE-2025-2757, A vulnerability classified as critical was found in Open
Asset Import Library Assimp 5.4.3. This vulnerability affects the
function AI_MD5_PARSE_STRING_IN_QUOTATION of the file
code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
manipulation of the argument data leads to heap-based buffer overflow.
The attack can be initiated remotely. The exploit has been disclosed to
the public and may be used.
CVE-2025-2757, A vulnerability classified as critical was found in Open
Asset Import Library Assimp 5.4.3. This vulnerability affects the
function AI_MD5_PARSE_STRING_IN_QUOTATION of the file
code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
manipulation of the argument data leads to heap-based buffer overflow.
The attack can be initiated remotely. The exploit has been disclosed to
the public and may be used.
CVE-2025-3158, A vulnerability, which was classified as critical, has
been found in Open Asset Import Library Assimp 5.4.3. Affected by this
issue is the function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of
the file code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File
Handler. The manipulation leads to heap-based buffer overflow. It is
possible to launch the attack on the local host. The exploit has been
disclosed to the public and may be used.
CVE-2025-3548, A vulnerability, which was classified as critical, has
been found in Open Asset Import Library Assimp up to 5.4.3. This issue
affects the function aiString::Set in the library include/assimp/types.h
of the component File Handler. The manipulation leads to heap-based
buffer overflow. It is possible to launch the attack on the local host.
The exploit has been disclosed to the public and may be used. It is
recommended to apply a patch to fix this issue.
CVE-2025-11277, A weakness has been identified in Open Asset Import
Library Assimp 6.0.2. This affects the function
Q3DImporter::InternReadFile of the file
assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can
lead to heap-based buffer overflow. The attack needs to be launched
locally. The exploit has been made available to the public and could be
used for attacks.
CVE-2025-70067, Buffer Overflow vulnerability exists in Assimp versions
up to 6.0.2 in the FBX Importer. The vulnerability occurs in
aiMaterial::AddBinaryProperty, where a property key string from a
crafted FBX file is copied into a fixed-size heap buffer using strcpy()
without runtime length validation
References
- https://bugs.mageia.org/show_bug.cgi?id=34439
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYGDCFEL3GZ5PDUZFKEVVISQWAENNBTB/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/2LQLM3OX7KPUJNJSKSVDROFQGZRJPVRF/
- https://www.cve.org/CVERecord?id=CVE-2025-2750
- https://www.cve.org/CVERecord?id=CVE-2025-2751
- https://www.cve.org/CVERecord?id=CVE-2025-2757
- https://www.cve.org/CVERecord?id=CVE-2025-3158
- https://www.cve.org/CVERecord?id=CVE-2025-3548
- https://www.cve.org/CVERecord?id=CVE-2025-11277
- https://www.cve.org/CVERecord?id=CVE-2025-70067
SRPMS
9/core
- assimp-5.2.5-1.mga9