646104 – OpenSceneGraph contains an embedded copy of lib3ds, prone to CVE-2010-0280

Bug 646104 - OpenSceneGraph contains an embedded copy of lib3ds, prone to CVE-2010-0280

Summary: OpenSceneGraph contains an embedded copy of lib3ds, prone to CVE-2010-0280

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	OpenSceneGraph
Sub Component:
Version:	13
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Ralf Corsepius
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Depends On:	646103
Blocks:	CVE-2010-0280
TreeView+	depends on / blocked

Reported:	2010-10-24 11:52 UTC by Jan Lieskovsky
Modified:	2010-11-16 23:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:	OpenSceneGraph-2.8.2-6.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:	646103
Environment:
Last Closed:	2010-11-16 23:19:08 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2010-10-24 11:52:37 UTC

+++ This bug was initially created as a clone of Bug #646103 +++

Description of problem:

OpenSceneGraph source rpm, as shipped with Fedora-13 contains
embedded copy of lib3ds library (its relevant code parts
vulnerable to CVE-2010-0280 flaw).

Version-Release number of selected component (if applicable):
OpenSceneGraph-2.8.2-5.fc13.src.rpm

Additional info:
The relevant code part is located in:

BUILD/OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp

See also:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0280

and patch from:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=633475#c4

for further information, how to address this problem.

Also: Please consider the OpenSceneGraph package in Fedora-13
      to use system lib3ds library, which is not vulnerable to this
      flaw already. This is the preferred way of fixing the deficiency,
      as could be helpful also in future cases like this one.

Comment 1 Fedora Update System 2010-11-03 14:24:40 UTC

OpenSceneGraph-2.8.2-6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13

Comment 2 Ralf Corsepius 2010-11-03 14:28:29 UTC

(In reply to comment #0)
> Also: Please consider the OpenSceneGraph package in Fedora-13
>       to use system lib3ds library, which is not vulnerable to this
>       flaw already. This is the preferred way of fixing the deficiency,
>       as could be helpful also in future cases like this one.
AFAICT, this is not quite right.

It's correct that OpenSceneGraph contains a variant of lib3ds's source code, however their source-code is compiled using C++ and unlike the original lib3ds is dlopen'ed as "plugins" (the original lib3ds is a library).

I.e. OpenSceneGraph's lib3ds is not identical to the original lib3ds.

Comment 3 Fedora Update System 2010-11-03 21:08:28 UTC

OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update OpenSceneGraph'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/OpenSceneGraph-2.8.2-6.fc13

Comment 4 Fedora Update System 2010-11-16 23:19:04 UTC

OpenSceneGraph-2.8.2-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.