Your message dated Wed, 17 Dec 2008 21:02:50 +0000
with message-id <e1ld3xe-0006ev...@ries.debian.org>
and subject line Bug#503632: fixed in blender 2.42a-8
has caused the Debian Bug report #503632,
regarding blender: Python scripts load modules from current directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
503632: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: blender
Version: 2.46+dfsg-4
Severity: grave
Tags: security
Justification: user security hole
Usertags: pythonpath
Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string. This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages blender depends on:
ii gettext [libgettextpo0 0.17-4 GNU Internationalization utilities
pn libalut0 <none> (no description available)
pn libavcodec51 | libavco <none> (no description available)
pn libavformat52 | libavf <none> (no description available)
pn libavutil49 | libavuti <none> (no description available)
ii libc6 2.7-15 GNU C Library: Shared libraries
pn libdc1394-22 <none> (no description available)
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
pn libftgl2 <none> (no description available)
ii libgcc1 1:4.3.2-1 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3-6 A free implementation of the OpenG
ii libglu1-mesa [libglu1] 7.0.3-6 The OpenGL utility library (GLU)
pn libgsm1 <none> (no description available)
ii libilmbase6 1.0.1-2+nmu2 several utility libraries from ILM
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libogg0 1.1.3-4 Ogg Bitstream Library
pn libopenal1 <none> (no description available)
ii libopenexr6 1.6.1-3 runtime files for the OpenEXR imag
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libraw1394-8 1.3.0-4 library for direct access to IEEE
pn libsdl1.2debian <none> (no description available)
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
pn libswscale0 | libswsca <none> (no description available)
ii libtheora0 1.0~beta3-1 The Theora Video Compression Codec
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxi6 2:1.1.3-1 X11 Input extension library
ii python 2.5.2-2 An interactive high-level object-o
ii python-support 0.8.6 automated rebuilding support for P
ii python2.5 2.5.2-11.1 An interactive high-level object-o
ii ttf-dejavu 2.25-3 Metapackage to pull in ttf-dejavu-
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
blender recommends no packages.
Versions of packages blender suggests:
ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra
pn yafray <none> (no description available)
--- End Message ---
--- Begin Message ---
Source: blender
Source-Version: 2.42a-8
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.42a-8.diff.gz
to pool/main/b/blender/blender_2.42a-8.diff.gz
blender_2.42a-8.dsc
to pool/main/b/blender/blender_2.42a-8.dsc
blender_2.42a-8_amd64.deb
to pool/main/b/blender/blender_2.42a-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <k...@debian.org> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Nov 2008 18:48:10 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.42a-8
Distribution: stable
Urgency: low
Maintainer: Cyril Brulebois <k...@debian.org>
Changed-By: Cyril Brulebois <k...@debian.org>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes:
blender (2.42a-8) stable; urgency=low
.
* Include patch by James Vega (thanks!) to fix security bug: Blender's
BPY_interface was calling PySys_SetArgv so that sys.path was prepended
with an empty string, resulting in possible arbitrary code execution,
when the working directory contains a file named like one that
Blender's python scripts try to import (Closes: #503632). That patch
removes empty elements from sys.path:
- debian/patches/01_sanitize_sys.path
This is CVE-2008-4863.
* Acknowledge previous NMU by the security team, thanks Devin Carraway.
* Update Maintainer/Uploaders.
Files:
83034e610697736933ab5bbb1515741c 883 graphics optional blender_2.42a-8.dsc
c1bc77923cc3c6712adb3b43a1e7d6cf 30192 graphics optional
blender_2.42a-8.diff.gz
26b71cf18193f2fb3169b4983c76064a 6373114 graphics optional
blender_2.42a-8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxm5kACgkQeGfVPHR5Nd3L4wCg0H4sA+a3Y3jxopKPL2EnPXeU
HE4An21CubEk77w80eIUMNz+qMf8kdLt
=siur
-----END PGP SIGNATURE-----
--- End Message ---
