CVE-2008-4863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4863): Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.
Debian patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=pythonpath.diff;att=1;bug=503632
I assume that all versions in the tree are affected? (2.48a seems to have the same issue...) As we have media-gfx/blender-2.43 stable, we would have to backport the fix to this version (which should be pretty easy).
*blender-2.48a-r3 (03 Nov 2008) *blender-2.48a-r2 (03 Nov 2008) *blender-2.43-r3 (03 Nov 2008) 03 Nov 2008; Markus Meier <maekke@gentoo.org> +files/blender-2.43-CVE-2008-4863.patch, +files/blender-2.48a-CVE-2008-4863.patch, +blender-2.43-r3.ebuild, +blender-2.48a-r2.ebuild, +blender-2.48a-r3.ebuild: security bumps for 2.43 (for stable) and 2.48a, bug #245310 @lu_zero: do you have any objections to remove all all ebuilds, except for blender-2.43-r3 (when it's stable), and >=2.48a-r2 ?
Arches, please test and mark stable: =media-gfx/blender-2.43-r3 Target keywords : "ppc ppc64 x86"
ppc64 stable
x86 stable
ppc stable
time for glsa decision, voting yes.
YES too, request filed.
GLSA 201001-07, thanks everyone.