Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 168907 - media-gfx/blender KML/KMZ Import Command Injection Vulnerability
Summary: media-gfx/blender KML/KMZ Import Command Injection Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24232/
Whiteboard: B2 [glsa] Executioner
Keywords:
Depends on: 167694
Blocks:
  Show dependency tree
 
Reported: 2007-03-01 17:01 UTC by Executioner
Modified: 2007-05-02 12:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-03-01 17:01:36 UTC
Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the insecure use of the "eval()" function in kmz_ImportWithMesh.py. This can be exploited to execute arbitrary Python commands by tricking a user into importing a specially crafted "*.kml" or "*.kmz" file.

The vulnerability is confirmed in version 2.42a. Prior versions may also be affected.

Solution:
Update to version 2.43, which no longer includes the affected script.


Reproducible: Didn't try




http://secunia.com/advisories/24232/
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-03-01 17:10:11 UTC
(In reply to comment #0)
> Solution:
> Update to version 2.43, which no longer includes the affected script.

blender-2.43 is broken (see Bug 167694); not really a solution.
 
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 07:25:52 UTC
graphics any news on this one?
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 18:47:59 UTC
graphics team please advise. If it's such a mess, then we'll have to mask it. It's  about code injection, it's serious.
Comment 4 Luca Barbato gentoo-dev 2007-04-09 18:52:39 UTC
I'm adding right now blender, people with amd64 please check it...

(give me 1h to reshape the ebuild...)
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 10:00:18 UTC
Luca, any news on this one?
Comment 6 Luca Barbato gentoo-dev 2007-04-11 10:58:18 UTC
I still need somebody with amd64 to test the ebuild. the ebuild is in portage but masked because of that.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 11:20:33 UTC
Ahh no update to Changelog.

Maybe just call amd64 to test?
Comment 8 Luca Barbato gentoo-dev 2007-04-11 11:59:34 UTC
Should do. amd64 team please test blender-2.43
Comment 9 Peter Weller (RETIRED) gentoo-dev 2007-04-12 07:57:32 UTC
Tested on amd64 and removed from package.mask
Comment 10 Luca Barbato gentoo-dev 2007-04-12 08:13:49 UTC
I guess we could ask for stabilization then ^^
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-12 09:18:39 UTC
Thx.

Arches please test and mark stable. Target keywords are:
blender-2.43.ebuild:KEYWORDS="amd64 ppc ppc64 ~sparc x86"
Comment 12 Peter Weller (RETIRED) gentoo-dev 2007-04-12 10:28:34 UTC
amd64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-04-12 11:42:41 UTC
x86 stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-04-15 18:38:18 UTC
ppc64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-17 17:25:02 UTC
ppc stable
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 12:06:52 UTC
GLSA 200704-19