Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 168907

Summary: media-gfx/blender KML/KMZ Import Command Injection Vulnerability
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: graphics+disabled, malverian
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] Executioner
Package list:
Runtime testing required: ---
Bug Depends on: 167694    
Bug Blocks:    

Description Executioner 2007-03-01 17:01:36 UTC
Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the insecure use of the "eval()" function in This can be exploited to execute arbitrary Python commands by tricking a user into importing a specially crafted "*.kml" or "*.kmz" file.

The vulnerability is confirmed in version 2.42a. Prior versions may also be affected.

Update to version 2.43, which no longer includes the affected script.

Reproducible: Didn't try
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-03-01 17:10:11 UTC
(In reply to comment #0)
> Solution:
> Update to version 2.43, which no longer includes the affected script.

blender-2.43 is broken (see Bug 167694); not really a solution.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 07:25:52 UTC
graphics any news on this one?
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 18:47:59 UTC
graphics team please advise. If it's such a mess, then we'll have to mask it. It's  about code injection, it's serious.
Comment 4 Luca Barbato gentoo-dev 2007-04-09 18:52:39 UTC
I'm adding right now blender, people with amd64 please check it...

(give me 1h to reshape the ebuild...)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:00:18 UTC
Luca, any news on this one?
Comment 6 Luca Barbato gentoo-dev 2007-04-11 10:58:18 UTC
I still need somebody with amd64 to test the ebuild. the ebuild is in portage but masked because of that.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 11:20:33 UTC
Ahh no update to Changelog.

Maybe just call amd64 to test?
Comment 8 Luca Barbato gentoo-dev 2007-04-11 11:59:34 UTC
Should do. amd64 team please test blender-2.43
Comment 9 Peter Weller (RETIRED) gentoo-dev 2007-04-12 07:57:32 UTC
Tested on amd64 and removed from package.mask
Comment 10 Luca Barbato gentoo-dev 2007-04-12 08:13:49 UTC
I guess we could ask for stabilization then ^^
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-12 09:18:39 UTC

Arches please test and mark stable. Target keywords are:
blender-2.43.ebuild:KEYWORDS="amd64 ppc ppc64 ~sparc x86"
Comment 12 Peter Weller (RETIRED) gentoo-dev 2007-04-12 10:28:34 UTC
amd64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-04-12 11:42:41 UTC
x86 stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-04-15 18:38:18 UTC
ppc64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-17 17:25:02 UTC
ppc stable
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 12:06:52 UTC
GLSA 200704-19