Bug 13960 - blender new security issue CVE-2014-4607
Summary: blender new security issue CVE-2014-4607
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks: 13943
  Show dependency treegraph
Reported: 2014-08-20 23:17 CEST by David Walser
Modified: 2014-09-01 12:44 CEST (History)
4 users (show)

See Also:
Source RPM: blender-2.69-1.mga4.src.rpm
Status comment:


Description David Walser 2014-08-20 23:17:30 CEST
blender bundles minilzo, which is affected by the CVE-2014-4607 issue from the LZO library.

Patched packages uploaded for Mageia 3 and Mageia 4.

The package currently doesn't build in Cauldron and will be addressed later.


Updated blender package fixes security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The blender package is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.


Updated packages in core/updates_testing:

from SRPMS:


Steps to Reproduce:
David Walser 2014-08-20 23:17:38 CEST

Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO

Comment 1 William Kenney 2014-08-21 19:18:35 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:

As much as I have used OpenShot I've never really used
the Blender ( New Animated Title ) feature. Blender is
installed along with OpenShot.

[root@localhost wilcal]# urpmi blender
Package blender-2.65a-5.mga3.i586 is already installed
[root@localhost wilcal]# urpmi openshot
Package openshot-1.4.3-2.mga3.noarch is already installed

Test a simple animated title per:


OpenShot -> Title -> New Animated Title
select any Template and a popup error window appears as follows:

Blender, the free open source 3D content creation suite is
required for this action (http://www.blender.org).

Please check the preferences in OpenShot and be sure the
Blender executable is correct.  This setting should be the
path of the 'blender' executable on your computer.  Also,
please be sure that it is pointing to Blender version 2.62 or

Blender Path:

end error window. Kinda no matter what you do the error
window appears. Executing "blender" from a terminal results in:
[wilcal@localhost ~]$ blender
libGL error: failed to load driver: vboxvideo
libGL error: Try again with LIBGL_DEBUG=verbose for more details.
/usr/bin/blender: line 9:  5075 Segmentation fault      /usr/bin/blender.sse "$@"

so maybe there's an error here? Anybody use the blender feature of OpenShot?

CC: (none) => wilcal.int

Comment 2 Lewis Smith 2014-08-24 20:45:43 CEST

I will try playing with Blender - at the crudest possible level. It is not easy to drive, but there is a lot of documentation for it on-line; & I have its manual (1,876 pages!). I do not see why OpenShot should be involved.

CC: (none) => lewyssmith

Comment 3 claire robinson 2014-08-24 23:38:54 CEST
Openshot is not strictly relevant to this update. Openshot is able to make use of blender to create a 3D title sequence when editing video. As such it could be used to verify blender backend is working OK. It may be a better test to perform some basic tasks in blender itself to verify the frontend. One of each test would be better still. Up to you.
Comment 4 William Kenney 2014-08-24 23:45:47 CEST
(In reply to claire robinson from comment #3)

> Openshot is not strictly relevant to this update......

Blender is an incredibly complex application and used universally
in lots of Video editing platforms. It's really not meant to
be used as a standalone app. As I said in comment #1 even though
I've used Openshot a lot I've never used the Blender feature.
That's a 3D title creation feature. For some reason when Openshot
attempts to use Blender it seg faults and that ain't good.
What I'm probably gonna do is write a Bug against Cauldron on this.
Should be fixed before M5 is released. FWIW the 3D title creation
process in Openshot is quite easy to use, when it used to work.
Comment 5 André DESMOTTES 2014-08-25 09:44:33 CEST

I tested blender blender-2.69-1.1.mga4.x86_64.rpm and didn't find any regression

CC: (none) => lebarhon
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 6 William Kenney 2014-08-25 17:26:02 CEST
(In reply to André DESMOTTES from comment #5)

> I tested blender blender-2.69-1.1.mga4.x86_64.rpm and didn't find any
> regression

Thank you André. Could you share with us how you tested blender.
That so we can duplicate that on the other versions of Mageia.
Comment 7 claire robinson 2014-08-25 19:25:48 CEST
There are lots of beginners tutorials on youtube Bill which is a good place to start. Don't go into too much depth, just ensure it basically works ok and can save/load files etc.
Comment 8 André DESMOTTES 2014-08-25 19:58:46 CEST
First, I am not a skilled blender user
M4 64 bits
I downloaded some blender files (2) from Internet and opened them in Blender, but couldn't modify them because there was a lock I didn't find. Then I played for more than an hour with the boolean modifier, save the files and re-open them.

M4 32 bits, in a virtual box.
I am just stopping. I downloaded a blender file from Internet with no protection, I could modify it and save it. I also played with some volumes, saved the files and re-open them.
that's all
André DESMOTTES 2014-08-25 19:59:15 CEST

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 9 Lewis Smith 2014-08-25 21:37:55 CEST
Confirming Comment 9 for MGA4 x64

I started a simple model with the release Blender, saved it, update Blender from Updates Testing to:
then re-loaded it with the previous model. Fiddled a bit with that, then from Render -> Render Image menu, F3, saved the rendered model as JPEG, PNG, TIF image files - all involving compression. The 3 images displayed correctly & identically. So I second MGA4-64-OK .
Comment 10 claire robinson 2014-08-31 08:59:43 CEST
Testing complete mga3 32, just basic use of blender on real hw.

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK

Comment 11 claire robinson 2014-08-31 09:04:23 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2014-09-01 12:44:45 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.