Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "imb_loadhdr()" function in source/blender/imbuf/intern/radiance_hdr.c, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted Blender (*.blend) file containing a malicious Radiance RGBE image. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.45. Other versions may also be affected. Solution: Fixed in the SVN repository.
> Fixed in the SVN repository. Revisions 14432, 14451, 14461
I bumped blender in cvs with the following patch: http://cvs.fedora.redhat.com/viewcvs/rpms/blender/F-9/blender-2.45-cve-2008-1102.patch?sortby=date&view=markup The new revisions are: blender-2.45-r3: ~arch (masked for >=media-video/ffmpeg-0.4.9_p20080326) blender-2.45-r2 ~arch blender-2.43-r1 stable candidate
CVE-2008-1103 is public now too: Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues." I don't know what the situation is with a patch there. Markus, do you?
*** Bug 217694 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > CVE-2008-1103 is public now too: > Multiple unspecified vulnerabilities in Blender have unknown impact and attack > vectors, related to "temporary file issues." > > I don't know what the situation is with a patch there. Markus, do you? > grabbed patches fro CVE-2008-1103 from fedora: http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-1.patch?sortby=date http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-2.patch?sortby=date The new revisions are: media-gfx/blender-2.45-r4 ~arch media-gfx/blender-2.43-r2 stable candidate no new revision (but patches added) for p.masked version (media-gfx/blender-2.45-r3)
Arches, please test and mark stable: =media-gfx/blender-2.43-r2 Target keywords : "ppc ppc64 release x86"
x86 stable
ppc64 stable
ppc stable
11 May 2008; Markus Meier <maekke@gentoo.org> -blender-2.43.ebuild: old
GLSA request filed.
Fixed in release snapshot.
GLSA 200805-12
Please note that cve-2008-1103-1.patch and cve-2008-1103-2.patch in Fedora packages do not resolve CVE-2008-1103 completely, only /tmp/quit.blend part of the issue. See also: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103#c8
Thanks for the info. Reopening for maintainer advise.
Hmm. Only blender-2.48a-r3 is left in tree.. if the CVE fixes ever went upstream, they should be in by now.
CVE-2008-1102: fixed in =media-gfx/blender-2.43-r2 / GLSA 200805-12 CVE-2008-1103: patch had an incomplete fix in =media-gfx/blender-2.43-r2 / GLSA 200805-12. First fixed was =media-gfx/blender-2.48a-r3
@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.
This issue was resolved and addressed in GLSA 201311-07 at http://security.gentoo.org/glsa/glsa-201311-07.xml by GLSA coordinator Sean Amoss (ackle).
