Report forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>: Bug#330895; Package blender.
(full text, mbox, link).
Acknowledgement sent to Joxean Koret <joxeankoret@yahoo.es>:
New Bug report received and forwarded. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>.
(full text, mbox, link).
Subject: blender: Arbitrary code execution when importing a .bvh file
Package: blender
Version: 2.36-1
Severity: grave
Justification: user security hole
The bvh_import.py script supplied with the current Debian Stable and (I
think) unstable versions of Blender is vulnerable to arbitrary code
execution.
The problem was corrected at 2005/01/22 in the CVS but the main package
doesn't come with the fixed script.
Attached goes the e-mail sended to the Blender people, one
working exploit to test the vulnerability under Debian, and 2 proof of
concepts.
Regards,
Joxean Koret
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
Versions of packages blender depends on:
ii gettext [libg 0.14.4-2 GNU Internationalization
utilities
ii libc6 2.3.2.ds1-22 GNU C Library: Shared
libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine,
shared lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libjpeg62 6b-10 The Independent JPEG
Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable
library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-13 The GNU Standard C++
Library v3
ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol
client li
ii python2.3 2.3.5-4 An interactive high-level
object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-14 Mesa 3D graphics library
[XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-14 Mesa OpenGL utility library
[XFree
ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB)
configu
ii zlib1g 1:1.2.2-4.sarge.2 compression library -
runtime
-- no debconf information
Tags added: security
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>: Bug#330895; Package blender.
(full text, mbox, link).
Acknowledgement sent to Florian Ernst <florian@uni-hd.de>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>.
(full text, mbox, link).
On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.
oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was non-free anyway).
stable (2.36-1) is affected, I've attached a naive patch to remove all
'eval's in the script, which in fact basically is what upstream did.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.
testing isn't affected anymore as blender has been removed from
testing due to general bugginess.
unstable (2.36-1 on alpha mips mipsel, 2.37a-1 on all other archs) is
partially affected: while 2.37a includes the upstream fix for this
problem this version hasn't been built on all archs due to bug#333958.
HTH,
Flo
Changed Bug title.
Request was from Florian Ernst <florian@uni-hd.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>: Bug#330895; Package blender.
(full text, mbox, link).
Acknowledgement sent to Florian Ernst <florian@uni-hd.de>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>.
(full text, mbox, link).
tags 330895 patch
thanks control@b.d.o BCCed
On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.
This time the patch is dpatch'yfied, and I'll also attach a patch that
is closer to upstream, but includes more changes to the code.
HTH,
Flo
Package: blender
Version: 2.37a-1
Dear Security Team,
as this package's maintainer hasn't shown any visible reaction to this
issue I now try to take care...
On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.
I can confirm that this particular vulnerability could trick a user
into executing arbitrary commands with his rights. All an attacker has
to do is to provide a specially crafted bvh file (used for Motion
Capture data) for the user to import into a blender scene, and all
commands contained therein will be executed in the user's environment.
The demo exploit attached to Joxean's mail works under blender-2.36.
Oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was in non-free).
Stable (2.36-1) is affected, I've attached two patches that remove all
'eval's in the script, which in fact basically is what upstream did.
The first patch (CVE-2005-3302_upstream_dpatch.diff) essentially
contains what upstream did to resolve this issue, while the second
patch (CVE-2005-3302_dpatch.diff) contains what I considered to be a
minimal set of changes to remove this particular vulnerability.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.
I can confirm that these changes prevent the exploit of this
vulnerability, tested on both blender-2.36 and 2.37a
Testing isn't affected anymore as blender has been removed from
Testing due to general bugginess.
Unstable was partially affected: while 2.37a-1 already included the
upstream fix for this problem this version hadn't been built on all
archs due to bug#333958. However, this FTBFS has been resolved as of
2.37a-1.1, so right now all versions currently present in Unstable are
_not_ vulnerable. Consequently I now close this bug for the
corresponding version in Unstable with this mail.
Please issue an update for Stable when you think it is due time.
HTH,
Flo
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.