Nico Golde <[EMAIL PROTECTED]> (24/11/2008): > CVE-2008-4863[0]: > | Untrusted search path vulnerability in BPY_interface in Blender 2.46 > | allows local users to execute arbitrary code via a Trojan horse Python > | file in the current working directory, related to an erroneous setting > | of sys.path by the PySys_SetArgv function. > > However it would be nice if this could get fixed via a regular point > update[1]. > Please contact the release team for this.
Hello Stable Release Managers, please let me know if the following diff (against 2.42a-7.1+etch1) seems acceptable to you. Mraw, KiBi.
diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog
--- blender-2.42a/debian/changelog
+++ blender-2.42a/debian/changelog
@@ -1,3 +1,18 @@
+blender (2.42a-8) stable; urgency=low
+
+ * Include patch by James Vega (thanks!) to fix security bug: Blender's
+ BPY_interface was calling PySys_SetArgv so that sys.path was prepended
+ with an empty string, resulting in possible arbitrary code execution,
+ when the working directory contains a file named like one that
+ Blender's python scripts try to import (Closes: #503632). That patch
+ removes empty elements from sys.path:
+ - debian/patches/01_sanitize_sys.path
+ This is CVE-2008-4863.
+ * Acknowledge previous NMU by the security team, thanks Devin Carraway.
+ * Update Maintainer/Uploaders.
+
+ -- Cyril Brulebois <[EMAIL PROTECTED]> Sat, 29 Nov 2008 18:48:10 +0100
+
blender (2.42a-7.1+etch1) stable-security; urgency=high
* Non-maintainer upload by the security team
diff -u blender-2.42a/debian/control blender-2.42a/debian/control
--- blender-2.42a/debian/control
+++ blender-2.42a/debian/control
@@ -1,8 +1,7 @@
Source: blender
Section: graphics
Priority: optional
-Maintainer: Debian Blender Maintainers <[EMAIL PROTECTED]>
-Uploaders: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>, Florian Ernst <[EMAIL PROTECTED]>, Wouter van Heyst <[EMAIL PROTECTED]>, Cyril Brulebois <[EMAIL PROTECTED]>
+Maintainer: Cyril Brulebois <[EMAIL PROTECTED]>
Build-Depends: debhelper (>= 5.0.37.2), dpatch, ftgl-dev (>= 2.0.9-1), gettext (>= 0.14.1), libgettextpo-dev, libglut-dev, libjpeg-dev, libpng-dev, libsdl-dev, libz-dev, python2.4-dev, python-central (>= 0.4.17), scons, libtiff4-dev, libopenexr-dev, libavformat-dev, libxi-dev, autotools-dev, pkg-config, g++-3.3 [mips mipsel]
XS-Python-Version: 2.4
Standards-Version: 3.7.2
diff -u blender-2.42a/debian/patches/00list blender-2.42a/debian/patches/00list
--- blender-2.42a/debian/patches/00list
+++ blender-2.42a/debian/patches/00list
@@ -1,3 +1,4 @@
+01_sanitize_sys.path
02_tmp_in_HOME
04_de_po_fix
10_gnukfreebsd_support
only in patch2:
unchanged:
--- blender-2.42a.orig/debian/patches/01_sanitize_sys.path
+++ blender-2.42a/debian/patches/01_sanitize_sys.path
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## debian/patches/01_sanitize_sys.path by James Vega <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No longer load modules from current directory in Python scripts.
+## DP: CVE-2008-4863, Debian bug #503632
+@@DPATCH@@
+--- a/source/blender/python/BPY_interface.c
++++ b/source/blender/python/BPY_interface.c
+@@ -225,6 +225,10 @@
+ //Start the interpreter
+ Py_Initialize( );
+ PySys_SetArgv( argc_copy, argv_copy );
++ /* Sanitize sys.path to prevent relative imports loading modules in
++ * the current working directory
++ */
++ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+
+ /* Initialize thread support (also acquires lock) */
+ PyEval_InitThreads();
signature.asc
Description: Digital signature
