Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the "imb_loadhdr()" function in source/blender/imbuf/intern/radiance_hdr.c, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted Blender (*.blend) file containing a malicious Radiance RGBE image.
Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 2.45. Other versions may also be affected.
Fixed in the SVN repository.
> Fixed in the SVN repository.
Revisions 14432, 14451, 14461
I bumped blender in cvs with the following patch:
The new revisions are:
blender-2.45-r3: ~arch (masked for >=media-video/ffmpeg-0.4.9_p20080326)
blender-2.43-r1 stable candidate
CVE-2008-1103 is public now too:
Multiple unspecified vulnerabilities in Blender have unknown impact and attack
vectors, related to "temporary file issues."
I don't know what the situation is with a patch there. Markus, do you?
*** Bug 217694 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> CVE-2008-1103 is public now too:
> Multiple unspecified vulnerabilities in Blender have unknown impact and attack
> vectors, related to "temporary file issues."
> I don't know what the situation is with a patch there. Markus, do you?
grabbed patches fro CVE-2008-1103 from fedora:
The new revisions are:
media-gfx/blender-2.43-r2 stable candidate
no new revision (but patches added) for p.masked version (media-gfx/blender-2.45-r3)
Arches, please test and mark stable:
Target keywords : "ppc ppc64 release x86"
11 May 2008; Markus Meier <firstname.lastname@example.org> -blender-2.43.ebuild:
GLSA request filed.
Fixed in release snapshot.
Please note that cve-2008-1103-1.patch and cve-2008-1103-2.patch in Fedora packages do not resolve CVE-2008-1103 completely, only /tmp/quit.blend part of the issue. See also:
Thanks for the info.
Reopening for maintainer advise.
Hmm. Only blender-2.48a-r3 is left in tree.. if the CVE fixes ever went upstream, they should be in by now.
CVE-2008-1102: fixed in =media-gfx/blender-2.43-r2 / GLSA 200805-12
CVE-2008-1103: patch had an incomplete fix in =media-gfx/blender-2.43-r2 / GLSA 200805-12. First fixed was =media-gfx/blender-2.48a-r3
@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.
This issue was resolved and addressed in
GLSA 201311-07 at http://security.gentoo.org/glsa/glsa-201311-07.xml
by GLSA coordinator Sean Amoss (ackle).