CVE-2022-0544 (https://developer.blender.org/T94661): An integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. CVE-2022-0545 (https://developer.blender.org/T94629): An integer overflow in the processing of loaded 2D images leads to a write-what-where vulnerability and an out-of-bounds read vulnerability, allowing an attacker to leak sensitive information or achieve code execution in the context of the Blender process when a specially crafted image file is loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. CVE-2022-0546 (https://developer.blender.org/T94572): A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution. Not sure about exact fixed versions.
The fix for CVE-2022-0546 is in the 2.93.9 LTS and Blender 3.1 release. (Not released yet)
Latest version in tree is 3.1.2 (3.2.0 available upstream). Some vulnerable versions remain in tree(even stable). Thus I suggest [cleanup].
I'm fine with removal of older versions.
(In reply to John Helmert III from comment #0) > CVE-2022-0544 (https://developer.blender.org/T94661): > > An integer underflow in the DDS loader of Blender leads to an out-of-bounds > read, possibly allowing an attacker to read sensitive data using a crafted > DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 > and 3.1. > > CVE-2022-0545 (https://developer.blender.org/T94629): > > An integer overflow in the processing of loaded 2D images leads to a > write-what-where vulnerability and an out-of-bounds read vulnerability, > allowing an attacker to leak sensitive information or achieve code execution > in the context of the Blender process when a specially crafted image file is > loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. These two are fixed in 2.93.8 > CVE-2022-0546 (https://developer.blender.org/T94572): > > A missing bounds check in the image loader used in Blender 3.x and 2.93.8 > leads to out-of-bounds heap access, allowing an attacker to cause denial of > service, memory corruption or potentially code execution. Doesn't actually look like this got a backport to 2.93. > Not sure about exact fixed versions.
(In reply to John Helmert III from comment #4) > (In reply to John Helmert III from comment #0) > > CVE-2022-0544 (https://developer.blender.org/T94661): > > > > An integer underflow in the DDS loader of Blender leads to an out-of-bounds > > read, possibly allowing an attacker to read sensitive data using a crafted > > DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 > > and 3.1. > > > > CVE-2022-0545 (https://developer.blender.org/T94629): > > > > An integer overflow in the processing of loaded 2D images leads to a > > write-what-where vulnerability and an out-of-bounds read vulnerability, > > allowing an attacker to leak sensitive information or achieve code execution > > in the context of the Blender process when a specially crafted image file is > > loaded. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1. > > These two are fixed in 2.93.8 > > > CVE-2022-0546 (https://developer.blender.org/T94572): > > > > A missing bounds check in the image loader used in Blender 3.x and 2.93.8 > > leads to out-of-bounds heap access, allowing an attacker to cause denial of > > service, memory corruption or potentially code execution. > > Doesn't actually look like this got a backport to 2.93. Ah, it did: 2.93.9. And they're all fixed in 3.1.0, so we need <2.93.9 and 3.0.x cleaned up.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88e49ad9b40227d5d5d9c656dfd054873d704933 commit 88e49ad9b40227d5d5d9c656dfd054873d704933 Author: Federico Denkena <federico.denkena@posteo.de> AuthorDate: 2022-06-17 16:22:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-06-20 03:05:57 +0000 media-gfx/blender: Remove old versions Bug: https://bugs.gentoo.org/834011 Signed-off-by: Federico Denkena <federico.denkena@posteo.de> Closes: https://github.com/gentoo/gentoo/pull/25914 Signed-off-by: Sam James <sam@gentoo.org> media-gfx/blender/Manifest | 8 - media-gfx/blender/blender-2.93.0-r1.ebuild | 390 --------------------------- media-gfx/blender/blender-2.93.6.ebuild | 386 --------------------------- media-gfx/blender/blender-2.93.8-r4.ebuild | 402 ---------------------------- media-gfx/blender/blender-2.93.8-r5.ebuild | 405 ---------------------------- media-gfx/blender/blender-3.0.0-r1.ebuild | 407 ---------------------------- media-gfx/blender/blender-3.0.1-r4.ebuild | 410 ----------------------------- media-gfx/blender/blender-3.0.1-r5.ebuild | 408 ---------------------------- media-gfx/blender/blender-3.1.0.ebuild | 404 ---------------------------- media-gfx/blender/blender-3.1.1.ebuild | 404 ---------------------------- media-gfx/blender/metadata.xml | 9 - 11 files changed, 3633 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=ea8d63e6677d01e53bccced37bdd7c09191f6882 commit ea8d63e6677d01e53bccced37bdd7c09191f6882 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-03-03 10:35:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-03-03 10:36:00 +0000 [ GLSA 202403-02 ] Blender: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/834011 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202403-02.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)