Bug 646104
Summary: | OpenSceneGraph contains an embedded copy of lib3ds, prone to CVE-2010-0280 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | OpenSceneGraph | Assignee: | Ralf Corsepius <rc040203> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13 | CC: | rc040203 |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181 | ||
Whiteboard: | |||
Fixed In Version: | OpenSceneGraph-2.8.2-6.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 646103 | Environment: | |
Last Closed: | 2010-11-16 23:19:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 646103 | ||
Bug Blocks: | 633475 |
Description
Jan Lieskovsky
2010-10-24 11:52:37 UTC
OpenSceneGraph-2.8.2-6.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13 (In reply to comment #0) > Also: Please consider the OpenSceneGraph package in Fedora-13 > to use system lib3ds library, which is not vulnerable to this > flaw already. This is the preferred way of fixing the deficiency, > as could be helpful also in future cases like this one. AFAICT, this is not quite right. It's correct that OpenSceneGraph contains a variant of lib3ds's source code, however their source-code is compiled using C++ and unlike the original lib3ds is dlopen'ed as "plugins" (the original lib3ds is a library). I.e. OpenSceneGraph's lib3ds is not identical to the original lib3ds. OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update OpenSceneGraph'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13 OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |