Debian Bug report logs - #330895
blender [CVE-2005-3302]: Arbitrary code execution when importing a .bvh file

version graph

Package: blender; Maintainer for blender is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for blender is src:blender.

Reported by: Joxean Koret <joxeankoret@yahoo.es>

Date: Fri, 30 Sep 2005 10:48:09 UTC

Severity: grave

Tags: fixed, patch, security

Found in version blender/2.36-1

Fixed in version blender/2.37a-1

Done: Florian Ernst <florian@uni-hd.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#330895; Package blender. Full text and rfc822 format available.

Acknowledgement sent to Joxean Koret <joxeankoret@yahoo.es>:
New Bug report received and forwarded. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joxean Koret <joxeankoret@yahoo.es>
To: submit@bugs.debian.org
Subject: blender: Arbitrary code execution when importing a .bvh file
Date: Fri, 30 Sep 2005 12:51:35 +0200
[Message part 1 (text/plain, inline)]
Subject: blender: Arbitrary code execution when importing a .bvh file
Package: blender
Version: 2.36-1
Severity: grave
Justification: user security hole

The bvh_import.py script supplied with the current Debian Stable and (I
think) unstable versions of Blender is vulnerable to arbitrary code
execution.

The problem was corrected at 2005/01/22 in the CVS but the main package 
doesn't come with the fixed script.

Attached goes the e-mail sended to the Blender people,  one
working exploit to test the vulnerability under Debian, and 2 proof of
concepts.

Regards,
Joxean Koret

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages blender depends on:
ii  gettext [libg 0.14.4-2                   GNU Internationalization
utilities
ii  libc6         2.3.2.ds1-22               GNU C Library: Shared
libraries an
ii  libfreetype6  2.1.7-2.4                  FreeType 2 font engine,
shared lib
ii  libgcc1       1:3.4.3-13                 GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG
Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable
library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-13                 The GNU Standard C++
Library v3
ii  libx11-6      4.3.0.dfsg.1-14            X Window System protocol
client li
ii  python2.3     2.3.5-4                    An interactive high-level
object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-14            Mesa 3D graphics library
[XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-14            Mesa OpenGL utility library
[XFree
ii  xlibs         4.3.0.dfsg.1-14            X Keyboard Extension (XKB)
configu
ii  zlib1g        1:1.2.2-4.sarge.2          compression library -
runtime

-- no debconf information

[exploit.bvh (text/plain, attachment)]
[first.mail.txt (text/plain, attachment)]
[poc1.bvh (text/plain, attachment)]
[poc2.bvh (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: security Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#330895; Package blender. Full text and rfc822 format available.

Acknowledgement sent to Florian Ernst <florian@uni-hd.de>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #12 received at 330895@bugs.debian.org (full text, mbox):

From: Florian Ernst <florian@uni-hd.de>
To: 330895@bugs.debian.org
Subject: Re: Bug#330895: blender: Arbitrary code execution when importing a .bvh file
Date: Tue, 1 Nov 2005 18:24:56 +0100
[Message part 1 (text/plain, inline)]
On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was non-free anyway).

stable (2.36-1) is affected, I've attached a naive patch to remove all
'eval's in the script, which in fact basically is what upstream did.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.

testing isn't affected anymore as blender has been removed from
testing due to general bugginess.

unstable (2.36-1 on alpha mips mipsel, 2.37a-1 on all other archs) is
partially affected: while 2.37a includes the upstream fix for this
problem this version hasn't been built on all archs due to bug#333958.

HTH,
Flo
[CVE-2005-3302.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Florian Ernst <florian@uni-hd.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#330895; Package blender. Full text and rfc822 format available.

Acknowledgement sent to Florian Ernst <florian@uni-hd.de>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #19 received at 330895@bugs.debian.org (full text, mbox):

From: Florian Ernst <florian@uni-hd.de>
To: 330895@bugs.debian.org
Subject: Re: Bug#330895: blender: Arbitrary code execution when importing a .bvh file
Date: Sun, 6 Nov 2005 12:28:46 +0100
[Message part 1 (text/plain, inline)]
tags 330895 patch
thanks control@b.d.o BCCed

On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

This time the patch is dpatch'yfied, and I'll also attach a patch that
is closer to upstream, but includes more changes to the code.

HTH,
Flo
[CVE-2005-3302_dpatch.diff (text/plain, attachment)]
[CVE-2005-3302_upstream_dpatch.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Florian Ernst <florian@uni-hd.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Florian Ernst <florian@uni-hd.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joxean Koret <joxeankoret@yahoo.es>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 330895-done@bugs.debian.org (full text, mbox):

From: Florian Ernst <florian@uni-hd.de>
To: team@security.debian.org
Subject: Re: Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution when importing a .bvh file
Date: Wed, 16 Nov 2005 15:54:07 +0100
[Message part 1 (text/plain, inline)]
Package: blender
Version: 2.37a-1

Dear Security Team,

as this package's maintainer hasn't shown any visible reaction to this
issue I now try to take care...

On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

I can confirm that this particular vulnerability could trick a user
into executing arbitrary commands with his rights. All an attacker has
to do is to provide a specially crafted bvh file (used for Motion
Capture data) for the user to import into a blender scene, and all
commands contained therein will be executed in the user's environment.
The demo exploit attached to Joxean's mail works under blender-2.36.


Oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was in non-free).

Stable (2.36-1) is affected, I've attached two patches that remove all
'eval's in the script, which in fact basically is what upstream did.
The first patch (CVE-2005-3302_upstream_dpatch.diff) essentially
contains what upstream did to resolve this issue, while the second
patch (CVE-2005-3302_dpatch.diff) contains what I considered to be a
minimal set of changes to remove this particular vulnerability.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.
I can confirm that these changes prevent the exploit of this
vulnerability, tested on both blender-2.36 and 2.37a

Testing isn't affected anymore as blender has been removed from
Testing due to general bugginess.

Unstable was partially affected: while 2.37a-1 already included the
upstream fix for this problem this version hadn't been built on all
archs due to bug#333958. However, this FTBFS has been resolved as of
2.37a-1.1, so right now all versions currently present in Unstable are
_not_ vulnerable. Consequently I now close this bug for the
corresponding version in Unstable with this mail.


Please issue an update for Stable when you think it is due time.

HTH,
Flo
[CVE-2005-3302_upstream_dpatch.diff (text/plain, attachment)]
[CVE-2005-3302_dpatch.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Steve Kemp <skx@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 06:23:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:02:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.