Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted structures in a 3DS file, probably related to mesh.c. http://www.coresecurity.com/content/google-sketchup-vulnerability
Created lib3ds tracking bugs for this issue Affects: fedora-all [bug 633477]
The core security advisory suggests that version 2 of lib3ds fixes this flaw.
(In reply to comment #2) > The core security advisory suggests that version 2 of lib3ds fixes this flaw. This advisory is not applicable. Rationale: a) There is no "official lib3ds-2". - There is an outdated code-blob called 'lib3ds-20080909.zip' http://code.google.com/p/lib3ds/downloads/list. This *zip is known to be broken and problematic. IIRC, it orginates from lib3ds's former upstream @sourceforge and is a relic of a failed attempt to release a lib3ds-2.0 (this *.zip had been labeled "release" candidate, but a such a release hasn't happened, since) - There is an svn repository at http://code.google.com/p/lib3ds/source/checkout which so far has not released any "stable package". In my understanding, this is what "core security" is referring to. b) The code in google's SVN is incompatible to lib3ds-1.3.0. It's impossible to upgrade Fedora to this code at this point in time. That said, should the google-lib3ds project release a tarball, their code could be considered for parallel installation to lib3ds-1.3.0 to gradually grandfather lib3ds-1.3.0. However due to its incompatibilities it can not be a replacement for lib3ds-1.3.0. c) So far, all major Linux distros (Fedora, openSUSE, Debian, Ubuntu) ship lib3ds-1.3.0 and don't ship lib3ds-2/google's lib3ds-SVN, likely because of a) and b) (incompatible, no release tarballs) I'll try to provide a patch, instead.
Created attachment 447208 [details] Patch to address this issue This is the patch I am going to apply. It's a 1:1 back-port to 1.3.0 of what currently is in google's SVN.
This also looks to affect other packages that contain embedded lib3ds: mm3d-1.3.8a-1.fc13: (source) ad3dsfilter-0.8.1.tar.gz: plugins/ad3dsfilter/lib3ds/lib3ds/mesh.c mrpt-0.8.0-0.3.20100102svn1398.fc13: (source) mrpt-0.8.0-20100102svn1398.tar.bz2: mrpt-0.8.0/src/core/opengl/lib3ds/mesh.c Silvio Cesare reported the mrpt case in bug #650786; I'm going to file a bug for mm3d to get fixed as well.
Created mm3d tracking bugs for this issue Affects: fedora-all [bug 651203]
Created mrpt tracking bugs for this issue Affects: fedora-all [bug 650786]
GLC_lib also embeds lib3ds, but like mm3d has lib3ds as a package dependency so I have assumed that neither are vulnerable. OpenSceneGraph has had the embedded lib3ds cve fix [1], but mingw32-OpenSceneGraph appears unfixed. [1] https://bugzilla.redhat.com/show_bug.cgi?id=646104
Ahh, the filename is different: mingw32-OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp. Code inspection shows it is indeed vulnerable. Thank you! And you're right about mm3d; the mm3d-ad3dsfilter-make.patch pulls out the building of the embedded lib3ds so that bug was filed incorrectly. Thank you for the double-check. I'll close that bug then. The mingw32-OpenSceneGraph tracking bugs for this issue: Affects: fedora-all [bug 651240]
(In reply to comment #10) > Ahh, the filename is different: > mingw32-OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp. > Code inspection shows it is indeed vulnerable. Thank you! c.f. https://bugzilla.redhat.com/show_bug.cgi?id=646104#c2 A patch addressing this issue for OSG-2.8.2 can be found in OpenSceneGraph's f13 branch in git.