+++ This bug was initially created as a clone of Bug #646103 +++
Description of problem:
OpenSceneGraph source rpm, as shipped with Fedora-13 contains
embedded copy of lib3ds library (its relevant code parts
vulnerable to CVE-2010-0280 flaw).
Version-Release number of selected component (if applicable):
The relevant code part is located in:
and patch from:
for further information, how to address this problem.
Also: Please consider the OpenSceneGraph package in Fedora-13
to use system lib3ds library, which is not vulnerable to this
flaw already. This is the preferred way of fixing the deficiency,
as could be helpful also in future cases like this one.
OpenSceneGraph-2.8.2-6.fc13 has been submitted as an update for Fedora 13.
(In reply to comment #0)
> Also: Please consider the OpenSceneGraph package in Fedora-13
> to use system lib3ds library, which is not vulnerable to this
> flaw already. This is the preferred way of fixing the deficiency,
> as could be helpful also in future cases like this one.
AFAICT, this is not quite right.
It's correct that OpenSceneGraph contains a variant of lib3ds's source code, however their source-code is compiled using C++ and unlike the original lib3ds is dlopen'ed as "plugins" (the original lib3ds is a library).
I.e. OpenSceneGraph's lib3ds is not identical to the original lib3ds.
OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update OpenSceneGraph'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13
OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.