Bug 364291

Summary:

<media-gfx/blender-2.57-r1 arbitrary code exec (sort of CVE-2009-3850)

Product:

Gentoo Security

Reporter:

Sebastian Pipping <sping>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

alexanderyt, dschridde+gentoobugs, graphics+disabled, hasufell, lu_zero, mail, randy-andy-

Priority:

Normal

Keywords:

Inclusion

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://www.coresecurity.com/content/blender-scripting-injection

Whiteboard:

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
Proposed patch for CVE-2009-3850 against Blender 2.57 (v1)	none
Diff between v1 and v2	none
Proposed patch for CVE-2009-3850 against Blender 2.57 (v2)	none

Description Sebastian Pipping gentoo-dev

2011-04-20 22:03:07 UTC

This is related to bug #312593.

I am posting an updated exploit generation manual here, as loading an exploit generated for Blender 2.49b may otherwise give the wrong impression that Blender 2.57 is safe from this attack.

 - Start Blender 2.57

 - Open pane "Text Editor"

 - Press "+ New"

 - Insert the text

     import os
     os.system("notify-send 'Hello from CVE-2009-3850, blender 2.57'")

 - Push "Run Script" to confirm that our popup message is shown.

 - Enter "foo.py" for field "Unique datablock ID name"
   (normally showing "Text" before)

 - Check checkbox "Register"

 - Save file as "CVE-2009-3850-blender-2.57.blend" or something.

 - Open the file you just saved

--> Code is executed

Comment 1 Luca Barbato gentoo-dev

2011-04-20 22:13:09 UTC

I guess we could patch blender to have the code execution option default disabled (now there is an option to regulate it)

Comment 2 Sebastian Pipping gentoo-dev

2011-04-20 22:19:00 UTC

(In reply to comment #1)
> I guess we could patch blender to have the code execution option default
> disabled (now there is an option to regulate it)

Please see <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5> for details why that alone wouldn't help with 2.49b, probably not with 2.57 either.

Comment 3 Sebastian Pipping gentoo-dev

2011-04-24 16:50:58 UTC

Created attachment 271021 [details, diff]
Proposed patch for CVE-2009-3850 against Blender 2.57 (v1)

The attached patch disables execution of embedded Python code unless you run Blender with parameter --enable-autoexec (or one of it aliases -y and -666).

When run with --enable-autoexec the user can still disable script execution by unchecking "Auto Run Python Scripts" in tab "System" on panel "User preferences".

To summarize the patch:
- Safe operation by default
- Unsafe operation possible though --enable-autoexec|-y|-666
- Effect of --disable-autoexec is hard, effect of --enable-autoexec is soft
- Compatible behavior to the patch for Blender 2.49b (bug #293130)

Comment 4 Sebastian Pipping gentoo-dev

2011-05-07 00:07:12 UTC

Patch integrated with just-committed Blender 2.57 ebuild.

Comment 5 Sebastian Pipping gentoo-dev

2011-05-17 15:36:14 UTC

Created attachment 273671 [details, diff]
Diff between v1 and v2

Comment 6 Sebastian Pipping gentoo-dev

2011-05-17 15:44:18 UTC

Created attachment 273673 [details, diff]
Proposed patch for CVE-2009-3850 against Blender 2.57 (v2)

This patch adds the following to v1:
- Restricts the "Trusted Source" checkbox to --enable-autoexec mode
- Disables checkboxes "Trusted Source" and "Auto Run Python Scripts" visually

Comment 7 Sebastian Pipping gentoo-dev

2011-05-17 16:13:05 UTC

+*blender-2.57-r1 (17 May 2011)
+
+  17 May 2011; Sebastian Pipping <sping@gentoo.org> +blender-2.57-r1.ebuild,
+  +files/blender-2.57-CVE-2009-3850-v2.patch:
+  Update patch for CVE-2009-3850 to v2
+

Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev

2013-02-05 16:12:21 UTC

@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.

Comment 9 Chris Reffett (RETIRED) gentoo-dev

2013-06-30 12:58:17 UTC

This appears to be no longer relevant as 2.57 is no longer in tree. Closing.