Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 364291 - <media-gfx/blender-2.57-r1 arbitrary code exec (sort of CVE-2009-3850)
Summary: <media-gfx/blender-2.57-r1 arbitrary code exec (sort of CVE-2009-3850)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.coresecurity.com/content/b...
Whiteboard:
Keywords: Inclusion
Depends on:
Blocks:
 
Reported: 2011-04-20 22:03 UTC by Sebastian Pipping
Modified: 2013-06-30 12:58 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Proposed patch for CVE-2009-3850 against Blender 2.57 (v1) (blender-2.57-CVE-2009-3850-v1.patch,4.78 KB, patch)
2011-04-24 16:50 UTC, Sebastian Pipping
no flags Details | Diff
Diff between v1 and v2 (v1-to-v2.diff,4.71 KB, patch)
2011-05-17 15:36 UTC, Sebastian Pipping
no flags Details | Diff
Proposed patch for CVE-2009-3850 against Blender 2.57 (v2) (blender-2.57-CVE-2009-3850-v2.patch,8.24 KB, patch)
2011-05-17 15:44 UTC, Sebastian Pipping
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2011-04-20 22:03:07 UTC
This is related to bug #312593.

I am posting an updated exploit generation manual here, as loading an exploit generated for Blender 2.49b may otherwise give the wrong impression that Blender 2.57 is safe from this attack.

 - Start Blender 2.57

 - Open pane "Text Editor"

 - Press "+ New"

 - Insert the text

     import os
     os.system("notify-send 'Hello from CVE-2009-3850, blender 2.57'")

 - Push "Run Script" to confirm that our popup message is shown.

 - Enter "foo.py" for field "Unique datablock ID name"
   (normally showing "Text" before)

 - Check checkbox "Register"

 - Save file as "CVE-2009-3850-blender-2.57.blend" or something.

 - Open the file you just saved

--> Code is executed
Comment 1 Luca Barbato gentoo-dev 2011-04-20 22:13:09 UTC
I guess we could patch blender to have the code execution option default disabled (now there is an option to regulate it)
Comment 2 Sebastian Pipping gentoo-dev 2011-04-20 22:19:00 UTC
(In reply to comment #1)
> I guess we could patch blender to have the code execution option default
> disabled (now there is an option to regulate it)

Please see <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5> for details why that alone wouldn't help with 2.49b, probably not with 2.57 either.
Comment 3 Sebastian Pipping gentoo-dev 2011-04-24 16:50:58 UTC
Created attachment 271021 [details, diff]
Proposed patch for CVE-2009-3850 against Blender 2.57 (v1)

The attached patch disables execution of embedded Python code unless you run Blender with parameter --enable-autoexec (or one of it aliases -y and -666).

When run with --enable-autoexec the user can still disable script execution by unchecking "Auto Run Python Scripts" in tab "System" on panel "User preferences".

To summarize the patch:
- Safe operation by default
- Unsafe operation possible though --enable-autoexec|-y|-666
- Effect of --disable-autoexec is hard, effect of --enable-autoexec is soft
- Compatible behavior to the patch for Blender 2.49b (bug #293130)
Comment 4 Sebastian Pipping gentoo-dev 2011-05-07 00:07:12 UTC
Patch integrated with just-committed Blender 2.57 ebuild.
Comment 5 Sebastian Pipping gentoo-dev 2011-05-17 15:36:14 UTC
Created attachment 273671 [details, diff]
Diff between v1 and v2
Comment 6 Sebastian Pipping gentoo-dev 2011-05-17 15:44:18 UTC
Created attachment 273673 [details, diff]
Proposed patch for CVE-2009-3850 against Blender 2.57 (v2)

This patch adds the following to v1:
- Restricts the "Trusted Source" checkbox to --enable-autoexec mode
- Disables checkboxes "Trusted Source" and "Auto Run Python Scripts" visually
Comment 7 Sebastian Pipping gentoo-dev 2011-05-17 16:13:05 UTC
+*blender-2.57-r1 (17 May 2011)
+
+  17 May 2011; Sebastian Pipping <sping@gentoo.org> +blender-2.57-r1.ebuild,
+  +files/blender-2.57-CVE-2009-3850-v2.patch:
+  Update patch for CVE-2009-3850 to v2
+
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2013-02-05 16:12:21 UTC
@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-06-30 12:58:17 UTC
This appears to be no longer relevant as 2.57 is no longer in tree. Closing.