Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 219008 (CVE-2008-1102) - <media-gfx/blender-2.48a-r3 Multiple vulnerabilities (CVE-2008-{1102,1103})
Summary: <media-gfx/blender-2.48a-r3 Multiple vulnerabilities (CVE-2008-{1102,1103})
Status: RESOLVED FIXED
Alias: CVE-2008-1102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29818
Whiteboard: B2 [glsa]
Keywords:
: 217694 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-04-23 11:22 UTC by Lars Hartmann
Modified: 2013-11-13 11:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-04-23 11:22:16 UTC
Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "imb_loadhdr()" function in source/blender/imbuf/intern/radiance_hdr.c, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted Blender (*.blend) file containing a malicious Radiance RGBE image.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 2.45. Other versions may also be affected.

Solution:
Fixed in the SVN repository.
Comment 1 Tomas Hoger 2008-04-24 08:23:48 UTC
> Fixed in the SVN repository.

Revisions 14432, 14451, 14461
Comment 2 Markus Meier gentoo-dev 2008-04-27 12:26:22 UTC
I bumped blender in cvs with the following patch:
http://cvs.fedora.redhat.com/viewcvs/rpms/blender/F-9/blender-2.45-cve-2008-1102.patch?sortby=date&view=markup

The new revisions are:
blender-2.45-r3: ~arch (masked for >=media-video/ffmpeg-0.4.9_p20080326)
blender-2.45-r2 ~arch
blender-2.43-r1 stable candidate
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-03 19:44:09 UTC
CVE-2008-1103 is public now too:
Multiple unspecified vulnerabilities in Blender have unknown impact and attack
vectors, related to "temporary file issues."

I don't know what the situation is with a patch there. Markus, do you?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-05-03 19:44:53 UTC
*** Bug 217694 has been marked as a duplicate of this bug. ***
Comment 5 Markus Meier gentoo-dev 2008-05-07 21:10:02 UTC
(In reply to comment #3)
> CVE-2008-1103 is public now too:
> Multiple unspecified vulnerabilities in Blender have unknown impact and attack
> vectors, related to "temporary file issues."
> 
> I don't know what the situation is with a patch there. Markus, do you?
> 

grabbed patches fro CVE-2008-1103 from fedora:
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-1.patch?sortby=date
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-2.patch?sortby=date


The new revisions are:
media-gfx/blender-2.45-r4 ~arch
media-gfx/blender-2.43-r2 stable candidate

no new revision (but patches added) for p.masked version (media-gfx/blender-2.45-r3)
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-08 07:52:32 UTC
Arches, please test and mark stable:
=media-gfx/blender-2.43-r2
Target keywords : "ppc ppc64 release x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-08 14:47:58 UTC
x86 stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-05-09 14:29:30 UTC
ppc64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-11 12:09:38 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2008-05-11 13:08:45 UTC
  11 May 2008; Markus Meier <maekke@gentoo.org> -blender-2.43.ebuild:
  old
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-11 13:11:26 UTC
GLSA request filed.
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-05-11 18:20:39 UTC
Fixed in release snapshot.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-12 21:18:00 UTC
GLSA 200805-12
Comment 14 Tomas Hoger 2008-05-14 07:00:05 UTC
Please note that cve-2008-1103-1.patch and cve-2008-1103-2.patch in Fedora packages do not resolve CVE-2008-1103 completely, only /tmp/quit.blend part of the issue.  See also:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103#c8
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2008-05-14 18:30:57 UTC
Thanks for the info.

Reopening for maintainer advise.
Comment 16 Samuli Suominen gentoo-dev 2008-12-22 14:44:48 UTC
Hmm. Only blender-2.48a-r3 is left in tree.. if the CVE fixes ever went upstream, they should be in by now.
Comment 17 Sean Amoss gentoo-dev Security 2012-07-16 23:21:56 UTC
CVE-2008-1102: fixed in =media-gfx/blender-2.43-r2 / GLSA 200805-12
CVE-2008-1103: patch had an incomplete fix in =media-gfx/blender-2.43-r2 / GLSA 200805-12. First fixed was =media-gfx/blender-2.48a-r3
Comment 18 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-02-05 16:12:18 UTC
@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-11-13 11:37:24 UTC
This issue was resolved and addressed in
 GLSA 201311-07 at http://security.gentoo.org/glsa/glsa-201311-07.xml
by GLSA coordinator Sean Amoss (ackle).