Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245310 (CVE-2008-4863) - media-gfx/blender <2.48-r3: search path vulnerability (CVE-2008-4863)
Summary: media-gfx/blender <2.48-r3: search path vulnerability (CVE-2008-4863)
Alias: CVE-2008-4863
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-11-02 19:23 UTC by Stefan Behte (RETIRED)
Modified: 2010-01-13 22:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-02 19:23:24 UTC
CVE-2008-4863 (
  Untrusted search path vulnerability in BPY_interface in Blender 2.46
  allows local users to execute arbitrary code via a Trojan horse
  Python file in the current working directory, related to an erroneous
  setting of sys.path by the PySys_SetArgv function.
Comment 2 Markus Meier gentoo-dev 2008-11-02 22:32:47 UTC
I assume that all versions in the tree are affected? (2.48a seems to have the same issue...)
As we have media-gfx/blender-2.43 stable, we would have to backport the fix to this version (which should be pretty easy).
Comment 3 Markus Meier gentoo-dev 2008-11-03 22:24:22 UTC
*blender-2.48a-r3 (03 Nov 2008)
*blender-2.48a-r2 (03 Nov 2008)
*blender-2.43-r3 (03 Nov 2008)

  03 Nov 2008; Markus Meier <>
  +files/blender-2.48a-CVE-2008-4863.patch, +blender-2.43-r3.ebuild,
  +blender-2.48a-r2.ebuild, +blender-2.48a-r3.ebuild:
  security bumps for 2.43 (for stable) and 2.48a, bug #245310

@lu_zero: do you have any objections to remove all all ebuilds, except for blender-2.43-r3 (when it's stable), and >=2.48a-r2 ?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 12:54:43 UTC
Arches, please test and mark stable:
Target keywords : "ppc ppc64 x86"
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-11-12 18:16:39 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-11-15 11:48:45 UTC
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 17:48:16 UTC
ppc stable
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-11-26 22:17:41 UTC
time for glsa decision, voting yes.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-30 19:04:10 UTC
YES too, request filed.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-13 22:15:53 UTC
GLSA 201001-07, thanks everyone.