Bug 646104

Summary: OpenSceneGraph contains an embedded copy of lib3ds, prone to CVE-2010-0280
Product: [Fedora] Fedora Reporter: Jan Lieskovsky <jlieskov>
Component: OpenSceneGraphAssignee: Ralf Corsepius <rc040203>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 13CC: rc040203
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601181
Whiteboard:
Fixed In Version: OpenSceneGraph-2.8.2-6.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 646103 Environment:
Last Closed: 2010-11-16 23:19:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 646103    
Bug Blocks: 633475    

Description Jan Lieskovsky 2010-10-24 11:52:37 UTC 
+++ This bug was initially created as a clone of Bug #646103 +++

Description of problem:

OpenSceneGraph source rpm, as shipped with Fedora-13 contains
embedded copy of lib3ds library (its relevant code parts
vulnerable to CVE-2010-0280 flaw).

Version-Release number of selected component (if applicable):
OpenSceneGraph-2.8.2-5.fc13.src.rpm

Additional info:
The relevant code part is located in:

BUILD/OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp

See also:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0280

and patch from:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=633475#c4

for further information, how to address this problem.

Also: Please consider the OpenSceneGraph package in Fedora-13
      to use system lib3ds library, which is not vulnerable to this
      flaw already. This is the preferred way of fixing the deficiency,
      as could be helpful also in future cases like this one.
Comment 1 Fedora Update System 2010-11-03 14:24:40 UTC 
OpenSceneGraph-2.8.2-6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13
Comment 2 Ralf Corsepius 2010-11-03 14:28:29 UTC 
(In reply to comment #0)
> Also: Please consider the OpenSceneGraph package in Fedora-13
>       to use system lib3ds library, which is not vulnerable to this
>       flaw already. This is the preferred way of fixing the deficiency,
>       as could be helpful also in future cases like this one.
AFAICT, this is not quite right.

It's correct that OpenSceneGraph contains a variant of lib3ds's source code, however their source-code is compiled using C++ and unlike the original lib3ds is dlopen'ed as "plugins" (the original lib3ds is a library).

I.e. OpenSceneGraph's lib3ds is not identical to the original lib3ds.
Comment 3 Fedora Update System 2010-11-03 21:08:28 UTC 
OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update OpenSceneGraph'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13
Comment 4 Fedora Update System 2010-11-16 23:19:04 UTC 
OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.