Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the insecure use of the "eval()" function in kmz_ImportWithMesh.py. This can be exploited to execute arbitrary Python commands by tricking a user into importing a specially crafted "*.kml" or "*.kmz" file.
The vulnerability is confirmed in version 2.42a. Prior versions may also be affected.
Update to version 2.43, which no longer includes the affected script.
Reproducible: Didn't try
(In reply to comment #0)
> Update to version 2.43, which no longer includes the affected script.
blender-2.43 is broken (see Bug 167694); not really a solution.
graphics any news on this one?
graphics team please advise. If it's such a mess, then we'll have to mask it. It's about code injection, it's serious.
I'm adding right now blender, people with amd64 please check it...
(give me 1h to reshape the ebuild...)
Luca, any news on this one?
I still need somebody with amd64 to test the ebuild. the ebuild is in portage but masked because of that.
Ahh no update to Changelog.
Maybe just call amd64 to test?
Should do. amd64 team please test blender-2.43
Tested on amd64 and removed from package.mask
I guess we could ask for stabilization then ^^
Arches please test and mark stable. Target keywords are:
blender-2.43.ebuild:KEYWORDS="amd64 ppc ppc64 ~sparc x86"