Summary: | <media-gfx/blender-2.48a-r3 Multiple vulnerabilities (CVE-2008-{1102,1103}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Hartmann <lars> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled, hasufell |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/29818 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Lars Hartmann
2008-04-23 11:22:16 UTC
> Fixed in the SVN repository.
Revisions 14432, 14451, 14461
I bumped blender in cvs with the following patch: http://cvs.fedora.redhat.com/viewcvs/rpms/blender/F-9/blender-2.45-cve-2008-1102.patch?sortby=date&view=markup The new revisions are: blender-2.45-r3: ~arch (masked for >=media-video/ffmpeg-0.4.9_p20080326) blender-2.45-r2 ~arch blender-2.43-r1 stable candidate CVE-2008-1103 is public now too: Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues." I don't know what the situation is with a patch there. Markus, do you? *** Bug 217694 has been marked as a duplicate of this bug. *** (In reply to comment #3) > CVE-2008-1103 is public now too: > Multiple unspecified vulnerabilities in Blender have unknown impact and attack > vectors, related to "temporary file issues." > > I don't know what the situation is with a patch there. Markus, do you? > grabbed patches fro CVE-2008-1103 from fedora: http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-1.patch?sortby=date http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-2.patch?sortby=date The new revisions are: media-gfx/blender-2.45-r4 ~arch media-gfx/blender-2.43-r2 stable candidate no new revision (but patches added) for p.masked version (media-gfx/blender-2.45-r3) Arches, please test and mark stable: =media-gfx/blender-2.43-r2 Target keywords : "ppc ppc64 release x86" x86 stable ppc64 stable ppc stable 11 May 2008; Markus Meier <maekke@gentoo.org> -blender-2.43.ebuild: old GLSA request filed. Fixed in release snapshot. GLSA 200805-12 Please note that cve-2008-1103-1.patch and cve-2008-1103-2.patch in Fedora packages do not resolve CVE-2008-1103 completely, only /tmp/quit.blend part of the issue. See also: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103#c8 Thanks for the info. Reopening for maintainer advise. Hmm. Only blender-2.48a-r3 is left in tree.. if the CVE fixes ever went upstream, they should be in by now. CVE-2008-1102: fixed in =media-gfx/blender-2.43-r2 / GLSA 200805-12 CVE-2008-1103: patch had an incomplete fix in =media-gfx/blender-2.43-r2 / GLSA 200805-12. First fixed was =media-gfx/blender-2.48a-r3 @security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here. This issue was resolved and addressed in GLSA 201311-07 at http://security.gentoo.org/glsa/glsa-201311-07.xml by GLSA coordinator Sean Amoss (ackle). |