168907 2007-03-01 17:01 0000 media-gfx/blender KML/KMZ Import Command Injection Vulnerability 2007-05-02 12:06:52 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/24232/ B2 [glsa] Executioner P2 normal --- 167694 1 keith@email.arizona.edu security@gentoo.org graphics@gentoo.org malverian@gentoo.org keith@email.arizona.edu 2007-03-01 17:01:36 0000 Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the insecure use of the "eval()" function in kmz_ImportWithMesh.py. This can be exploited to execute arbitrary Python commands by tricking a user into importing a specially crafted "*.kml" or "*.kmz" file. The vulnerability is confirmed in version 2.42a. Prior versions may also be affected. Solution: Update to version 2.43, which no longer includes the affected script. Reproducible: Didn't try http://secunia.com/advisories/24232/ jakub@gentoo.org 2007-03-01 17:10:11 0000 (In reply to comment #0) > Solution: > Update to version 2.43, which no longer includes the affected script. blender-2.43 is broken (see Bug 167694); not really a solution. jaervosz@gentoo.org 2007-03-25 07:25:52 0000 graphics any news on this one? falco@gentoo.org 2007-04-09 18:47:59 0000 graphics team please advise. If it's such a mess, then we'll have to mask it. It's about code injection, it's serious. lu_zero@gentoo.org 2007-04-09 18:52:39 0000 I'm adding right now blender, people with amd64 please check it... (give me 1h to reshape the ebuild...) jaervosz@gentoo.org 2007-04-11 10:00:18 0000 Luca, any news on this one? lu_zero@gentoo.org 2007-04-11 10:58:18 0000 I still need somebody with amd64 to test the ebuild. the ebuild is in portage but masked because of that. jaervosz@gentoo.org 2007-04-11 11:20:33 0000 Ahh no update to Changelog. Maybe just call amd64 to test? lu_zero@gentoo.org 2007-04-11 11:59:34 0000 Should do. amd64 team please test blender-2.43 welp@gentoo.org 2007-04-12 07:57:32 0000 Tested on amd64 and removed from package.mask lu_zero@gentoo.org 2007-04-12 08:13:49 0000 I guess we could ask for stabilization then ^^ jaervosz@gentoo.org 2007-04-12 09:18:39 0000 Thx. Arches please test and mark stable. Target keywords are: blender-2.43.ebuild:KEYWORDS="amd64 ppc ppc64 ~sparc x86" welp@gentoo.org 2007-04-12 10:28:34 0000 amd64 stable armin76@gentoo.org 2007-04-12 11:42:41 0000 x86 stable corsair@gentoo.org 2007-04-15 18:38:18 0000 ppc64 stable dertobi123@gentoo.org 2007-04-17 17:25:02 0000 ppc stable jaervosz@gentoo.org 2007-05-02 12:06:52 0000 GLSA 200704-19