Bug 7065

Summary:	blender missing update for security issue CVE-2009-3850
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	sysadmin-bugs, tmb
Version:	1	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/451501/
Whiteboard:	MGA1-64-OK, MGA1-32-OK
Source RPM:	blender-2.49b-11.3.mga1.src.rpm	CVE:
Status comment:

Description David Walser 2012-08-14 23:52:15 CEST

Fedora has issued an advisory on June 21, 2011:
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html

They have a patch (from Gentoo) here:
http://pkgs.fedoraproject.org/cgit/blender.git/plain/blender-2.49b-CVE-2009-3850-v4.patch?h=f15&id=c809a85d807e3eb15ecc0ea487e6893278405470

Comment 1 David Walser 2012-10-28 06:25:50 CET

Patched package uploaded for Mageia 1.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Assignee: fundawang => qa-bugs

Comment 2 David Walser 2012-10-28 06:42:44 CET

Correction: we're only shipping the core (not tainted) blender package.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Comment 3 claire robinson 2012-10-29 19:28:06 CET

Possible PoC: http://www.coresecurity.com/content/blender-scripting-injection

Comment 4 Marc Lattemann 2012-10-30 23:02:45 CET

tested successfully on mga1 x86_64 using PoC from Comment 3:

inserting
      import os
      os.system("/usr/bin/lxterminal")
as described opens a new terminal directly after loading .bend file

after update nothing happens anymore.
Will repeat it with i586 shortly.

CC: (none) => marc.lattemann
Whiteboard: (none) => MGA1-64-OK

Comment 5 Marc Lattemann 2012-10-30 23:20:41 CET

same test performed on mga1 i586 with same results.

validate updates.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Could someone from the sysadmins push it to Updates? Thanks.

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs
Whiteboard: MGA1-64-OK => MGA1-64-OK, MGA1-32-OK

Comment 6 Thomas Backlund 2012-10-30 23:56:46 CET

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0319

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED