Debian has issued an advisory on July 17: https://www.debian.org/security/2018/dsa-4248 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Hi, I don't see how to fix these security issues and also I don't understand why there is a lot of security issues not reported upstream or not fixed upstream!
CC: (none) => geiger.david68210
It looks like they were fixed upstream and Debian updated stretch from 2.79a to 2.79b to fix these issues. I guess we just need to update Mageia 6 to 2.79b.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)Source RPM: blender-2.79b-4.mga7.src.rpm => blender-2.78c-4.mga6.src.rpm
CC: (none) => marja11Assignee: bugsquad => geiger.david68210
So fixed for mga6 updating blender to the latest upstream release 2.79b. Also I updated yafaray to update it to the latest maintained and supported upstream release (3.3.0) and to fix the blender addons path.
Advisory: ======================== Updated blender package fixes security vulnerabilities: Multiple vulnerabilities have been discovered in various parsers of Blender. Malformed .blend model files and malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may result in the execution of arbitrary code (CVE-2017-2899, CVE-2017-2900, CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904, CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2908, CVE-2017-2918, CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100, CVE-2017-12101, CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12105). Also, the yafaray package has been updated to the latest version, 3.3.0, to fix the blender addons path. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2918 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12105 https://www.blender.org/features/2-79/ http://www.yafaray.org/node/817 https://www.debian.org/security/2018/dsa-4248 ======================== Updated packages in core/updates_testing: ======================== blender-2.79b-1.1.mga6 yafaray-3.3.0-1.mga6 yafaray-blender-3.3.0-1.mga6 from SRPMS: blender-2.79b-1.1.mga6.src.rpm yafaray-3.3.0-1.mga6.src.rpm
Assignee: geiger.david68210 => qa-bugs
Testing on Mageia 6 x86_64. blender 2.79b seems to work fine, but yafaray-blender does not work. Trying to enable it in Blender User Preferences > Render > Render: YafaRay v3 Exporter yields a traceback: ``` Traceback (most recent call last): File "/usr/share/blender/2.79/scripts/modules/addon_utils.py", line 331, in enable mod = __import__(module_name) File "/usr/share/blender/2.79/scripts/addons/yafaray/__init__.py", line 66, in <module> from . import io File "/usr/share/blender/2.79/scripts/addons/yafaray/io/__init__.py", line 22, in <module> from . import yaf_export File "/usr/share/blender/2.79/scripts/addons/yafaray/io/yaf_export.py", line 43, in <module> from ..ot import yafaray_presets File "/usr/share/blender/2.79/scripts/addons/yafaray/ot/__init__.py", line 23, in <module> from . import yafaray_presets File "/usr/share/blender/2.79/scripts/addons/yafaray/ot/yafaray_presets.py", line 341, in <module> class Yafaray_Menu(StructRNA, _GenericUI, metaclass.RNAMeta): # Yafaray's own Preset Menu drawing: search method for files changed NameError: name 'metaclass' is not defined ``` Investigating.
yafaray-blender was plain broken, I reworked the packaging and made sure that it works with current Blender. Should be fixed in yafaray-3.3.0-8.mga7 and yafaray-3.3.0-1.1.mga6. New advisory: ======================== Updated blender package fixes security vulnerabilities: Multiple vulnerabilities have been discovered in various parsers of Blender. Malformed .blend model files and malformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may result in the execution of arbitrary code (CVE-2017-2899, CVE-2017-2900, CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904, CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2908, CVE-2017-2918, CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100, CVE-2017-12101, CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12105). These issues are fixed by updating to the latest upstream 2.79b release, which brings many improvements, bug fixes and new features. See the referenced changelog for details. Also, the yafaray package has been updated to the latest version, 3.3.0, to make it work with the new Blender addons path. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2904 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2905 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2918 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12105 https://www.blender.org/features/2-79/ http://www.yafaray.org/node/817 https://www.debian.org/security/2018/dsa-4248 ======================== Updated packages in core/updates_testing: ======================== blender-2.79b-1.1.mga6 yafaray-3.3.0-1.1.mga6 yafaray-blender-3.3.0-1.1.mga6 from SRPMS: blender-2.79b-1.1.mga6.src.rpm yafaray-3.3.0-1.1.mga6.src.rpm
Yet another set of packages, I had forgotten to update a version number when copying from cauldron. Thanks daviddavid for the notice. Updated packages in core/updates_testing: ======================== blender-2.79b-1.1.mga6 yafaray-3.3.0-1.2.mga6 yafaray-blender-3.3.0-1.2.mga6 from SRPMS: blender-2.79b-1.1.mga6.src.rpm yafaray-3.3.0-1.2.mga6.src.rpm
Having a look at this. For the very first CVE on the list Talos reports that there is a an exploit script included with the advisory but it is not visible. It would be a simple matter of generating a crafted TIFF file using the supplied python script and then passing the tif file to blender as an asset. CVE-2017-2900 comes with a similar advisory and invisible exploit script. One suspects that similar frustrations will be found with all the other CVEs. Shall try a wider search later.
CC: (none) => tarazed25
Dropping the PoC search. poc.py is a very common name.
Mageia 6, x86_64 Played with the blender interface as a complete newbie while referring to the Blender 2.3 Guide (2004). blender.render engine and default 3D cube model. Rotated, zoomed, changed camera view and translated the object. Installed the updates. - blender-2.79b-1.1.mga6.x86_64 - lib64audaspace1-1.3.0-7.mga6.x86_64 - lib64boost_serialization1.60.0-1.60.0-6.1.mga6.x86_64 - python3-audaspace-1.3.0-7.mga6.x86_64 - yafaray-3.3.0-1.2.mga6.x86_64 - yafaray-blender-3.3.0-1.2.mga6.x86_64 Resumed the out-of-date tutorial, attempting to become familiar with the interface but got totally lost after half an hour. Painted the cube; texture, weight, vertex mode... Succeeded in exporting the current model as an x3d file. Probably needs a three-month induction course but as far as could be determined blender was functioning as designed. Could not try enabling yafaray-blender - unable to follow the user preferences path as described. Found User Preferences under File. Led to Interface, Editing, Input, Addons, Themes, File and System. No obvious reason not to pass this as OK for 64-bits.
Whiteboard: (none) => MGA6-64-OK
QA agrees that we should get rid of this. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0332.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED