This is related to bug #312593. I am posting an updated exploit generation manual here, as loading an exploit generated for Blender 2.49b may otherwise give the wrong impression that Blender 2.57 is safe from this attack. - Start Blender 2.57 - Open pane "Text Editor" - Press "+ New" - Insert the text import os os.system("notify-send 'Hello from CVE-2009-3850, blender 2.57'") - Push "Run Script" to confirm that our popup message is shown. - Enter "foo.py" for field "Unique datablock ID name" (normally showing "Text" before) - Check checkbox "Register" - Save file as "CVE-2009-3850-blender-2.57.blend" or something. - Open the file you just saved --> Code is executed
I guess we could patch blender to have the code execution option default disabled (now there is an option to regulate it)
(In reply to comment #1) > I guess we could patch blender to have the code execution option default > disabled (now there is an option to regulate it) Please see <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5> for details why that alone wouldn't help with 2.49b, probably not with 2.57 either.
Created attachment 271021 [details, diff] Proposed patch for CVE-2009-3850 against Blender 2.57 (v1) The attached patch disables execution of embedded Python code unless you run Blender with parameter --enable-autoexec (or one of it aliases -y and -666). When run with --enable-autoexec the user can still disable script execution by unchecking "Auto Run Python Scripts" in tab "System" on panel "User preferences". To summarize the patch: - Safe operation by default - Unsafe operation possible though --enable-autoexec|-y|-666 - Effect of --disable-autoexec is hard, effect of --enable-autoexec is soft - Compatible behavior to the patch for Blender 2.49b (bug #293130)
Patch integrated with just-committed Blender 2.57 ebuild.
Created attachment 273671 [details, diff] Diff between v1 and v2
Created attachment 273673 [details, diff] Proposed patch for CVE-2009-3850 against Blender 2.57 (v2) This patch adds the following to v1: - Restricts the "Trusted Source" checkbox to --enable-autoexec mode - Disables checkboxes "Trusted Source" and "Auto Run Python Scripts" visually
+*blender-2.57-r1 (17 May 2011) + + 17 May 2011; Sebastian Pipping <sping@gentoo.org> +blender-2.57-r1.ebuild, + +files/blender-2.57-CVE-2009-3850-v2.patch: + Update patch for CVE-2009-3850 to v2 +
@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.
This appears to be no longer relevant as 2.57 is no longer in tree. Closing.