Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 245310 (CVE-2008-4863)

Summary: media-gfx/blender <2.48-r3: search path vulnerability (CVE-2008-4863)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled, lu_zero
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 19:23:24 UTC
CVE-2008-4863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4863):
  Untrusted search path vulnerability in BPY_interface in Blender 2.46
  allows local users to execute arbitrary code via a Trojan horse
  Python file in the current working directory, related to an erroneous
  setting of sys.path by the PySys_SetArgv function.
Comment 2 Markus Meier gentoo-dev 2008-11-02 22:32:47 UTC
I assume that all versions in the tree are affected? (2.48a seems to have the same issue...)
As we have media-gfx/blender-2.43 stable, we would have to backport the fix to this version (which should be pretty easy).
Comment 3 Markus Meier gentoo-dev 2008-11-03 22:24:22 UTC
*blender-2.48a-r3 (03 Nov 2008)
*blender-2.48a-r2 (03 Nov 2008)
*blender-2.43-r3 (03 Nov 2008)

  03 Nov 2008; Markus Meier <maekke@gentoo.org>
  +files/blender-2.43-CVE-2008-4863.patch,
  +files/blender-2.48a-CVE-2008-4863.patch, +blender-2.43-r3.ebuild,
  +blender-2.48a-r2.ebuild, +blender-2.48a-r3.ebuild:
  security bumps for 2.43 (for stable) and 2.48a, bug #245310

@lu_zero: do you have any objections to remove all all ebuilds, except for blender-2.43-r3 (when it's stable), and >=2.48a-r2 ?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 12:54:43 UTC
Arches, please test and mark stable:
=media-gfx/blender-2.43-r3
Target keywords : "ppc ppc64 x86"
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-11-12 18:16:39 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-11-15 11:48:45 UTC
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 17:48:16 UTC
ppc stable
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-11-26 22:17:41 UTC
time for glsa decision, voting yes.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-30 19:04:10 UTC
YES too, request filed.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:15:53 UTC
GLSA 201001-07, thanks everyone.