Bug 23332 - blender several new security issues
Summary: blender several new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-19 15:46 CEST by David Walser
Modified: 2018-08-10 16:40 CEST (History)
5 users (show)

See Also:
Source RPM: blender-2.78c-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-07-19 15:46:36 CEST
Debian has issued an advisory on July 17:
https://www.debian.org/security/2018/dsa-4248

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-19 15:46:43 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-07-19 21:32:26 CEST
Hi,

I don't see how to fix these security issues and also I don't understand why there is a lot of security issues not reported upstream or not fixed upstream!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-07-20 13:06:26 CEST
It looks like they were fixed upstream and Debian updated stretch from 2.79a to 2.79b to fix these issues.  I guess we just need to update Mageia 6 to 2.79b.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Source RPM: blender-2.79b-4.mga7.src.rpm => blender-2.78c-4.mga6.src.rpm

Marja Van Waes 2018-07-20 15:24:43 CEST

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 3 David GEIGER 2018-07-21 08:59:43 CEST
So fixed for mga6 updating blender to the latest upstream release 2.79b.

Also I updated yafaray to update it to the latest maintained and supported upstream release (3.3.0) and to fix the blender addons path.
Comment 4 David Walser 2018-07-21 12:25:37 CEST
Advisory:
========================

Updated blender package fixes security vulnerabilities:

Multiple vulnerabilities have been discovered in various parsers of Blender.
Malformed .blend model files and malformed multimedia files (AVI, BMP, HDR, CIN,
IRIS, PNG, TIFF) may result in the execution of arbitrary code (CVE-2017-2899,
CVE-2017-2900, CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904,
CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2908, CVE-2017-2918,
CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100,
CVE-2017-12101, CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12105).

Also, the yafaray package has been updated to the latest version, 3.3.0, to fix
the blender addons path.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2918
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12105
https://www.blender.org/features/2-79/
http://www.yafaray.org/node/817
https://www.debian.org/security/2018/dsa-4248
========================

Updated packages in core/updates_testing:
========================
blender-2.79b-1.1.mga6
yafaray-3.3.0-1.mga6
yafaray-blender-3.3.0-1.mga6

from SRPMS:
blender-2.79b-1.1.mga6.src.rpm
yafaray-3.3.0-1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 5 Rémi Verschelde 2018-07-23 13:13:06 CEST
Testing on Mageia 6 x86_64.

blender 2.79b seems to work fine, but yafaray-blender does not work. Trying to enable it in Blender User Preferences > Render > Render: YafaRay v3 Exporter yields a traceback:

```
Traceback (most recent call last):
  File "/usr/share/blender/2.79/scripts/modules/addon_utils.py", line 331, in enable
    mod = __import__(module_name)
  File "/usr/share/blender/2.79/scripts/addons/yafaray/__init__.py", line 66, in <module>
    from . import io
  File "/usr/share/blender/2.79/scripts/addons/yafaray/io/__init__.py", line 22, in <module>
    from . import yaf_export
  File "/usr/share/blender/2.79/scripts/addons/yafaray/io/yaf_export.py", line 43, in <module>
    from ..ot import yafaray_presets
  File "/usr/share/blender/2.79/scripts/addons/yafaray/ot/__init__.py", line 23, in <module>
    from . import yafaray_presets
  File "/usr/share/blender/2.79/scripts/addons/yafaray/ot/yafaray_presets.py", line 341, in <module>
    class Yafaray_Menu(StructRNA, _GenericUI, metaclass.RNAMeta):  # Yafaray's own Preset Menu drawing: search method for files changed
NameError: name 'metaclass' is not defined
```

Investigating.
Comment 6 Rémi Verschelde 2018-07-23 15:12:17 CEST
yafaray-blender was plain broken, I reworked the packaging and made sure that it works with current Blender. Should be fixed in yafaray-3.3.0-8.mga7 and yafaray-3.3.0-1.1.mga6.


New advisory:
========================

Updated blender package fixes security vulnerabilities:

Multiple vulnerabilities have been discovered in various parsers of Blender.
Malformed .blend model files and malformed multimedia files (AVI, BMP, HDR, CIN,
IRIS, PNG, TIFF) may result in the execution of arbitrary code (CVE-2017-2899,
CVE-2017-2900, CVE-2017-2901, CVE-2017-2902, CVE-2017-2903, CVE-2017-2904,
CVE-2017-2905, CVE-2017-2906, CVE-2017-2907, CVE-2017-2908, CVE-2017-2918,
CVE-2017-12081, CVE-2017-12082, CVE-2017-12086, CVE-2017-12099, CVE-2017-12100,
CVE-2017-12101, CVE-2017-12102, CVE-2017-12103, CVE-2017-12104, CVE-2017-12105).

These issues are fixed by updating to the latest upstream 2.79b release, which
brings many improvements, bug fixes and new features. See the referenced
changelog for details.

Also, the yafaray package has been updated to the latest version, 3.3.0, to make it work with the new Blender addons path.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2900
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2918
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12105
https://www.blender.org/features/2-79/
http://www.yafaray.org/node/817
https://www.debian.org/security/2018/dsa-4248
========================

Updated packages in core/updates_testing:
========================
blender-2.79b-1.1.mga6
yafaray-3.3.0-1.1.mga6
yafaray-blender-3.3.0-1.1.mga6

from SRPMS:
blender-2.79b-1.1.mga6.src.rpm
yafaray-3.3.0-1.1.mga6.src.rpm
Comment 7 Rémi Verschelde 2018-07-23 15:20:52 CEST
Yet another set of packages, I had forgotten to update a version number when copying from cauldron. Thanks daviddavid for the notice.

Updated packages in core/updates_testing:
========================
blender-2.79b-1.1.mga6
yafaray-3.3.0-1.2.mga6
yafaray-blender-3.3.0-1.2.mga6

from SRPMS:
blender-2.79b-1.1.mga6.src.rpm
yafaray-3.3.0-1.2.mga6.src.rpm
Comment 8 Len Lawrence 2018-07-24 01:16:59 CEST
Having a look at this.  For the very first CVE on the list Talos reports that there is a an exploit script included with the advisory but it is not visible.  It would be a simple matter of generating a crafted TIFF file using the supplied python script and then passing the tif file to blender as an asset.  CVE-2017-2900 comes with a similar advisory and invisible exploit script.  One suspects that similar frustrations will be found with all the other CVEs.

Shall try a wider search later.

CC: (none) => tarazed25

Comment 9 Len Lawrence 2018-07-24 11:07:17 CEST
Dropping the PoC search.  poc.py is a very common name.
Comment 10 Len Lawrence 2018-07-24 18:54:21 CEST
Mageia 6, x86_64

Played with the blender interface as a complete newbie while referring to the Blender 2.3 Guide (2004).  blender.render engine and default 3D cube model.  Rotated, zoomed, changed camera view and translated the object.

Installed the updates.
- blender-2.79b-1.1.mga6.x86_64
- lib64audaspace1-1.3.0-7.mga6.x86_64
- lib64boost_serialization1.60.0-1.60.0-6.1.mga6.x86_64
- python3-audaspace-1.3.0-7.mga6.x86_64
- yafaray-3.3.0-1.2.mga6.x86_64
- yafaray-blender-3.3.0-1.2.mga6.x86_64

Resumed the out-of-date tutorial, attempting to become familiar with the interface but got totally lost after half an hour.  Painted the cube; texture, weight, vertex mode...  Succeeded in exporting the current model as an x3d file.  Probably needs a three-month induction course but as far as could be determined blender was functioning as designed.

Could not try enabling yafaray-blender - unable to follow the user preferences path as described.  Found User Preferences under File.  Led to Interface, Editing, Input, Addons, Themes, File and System.

No obvious reason not to pass this as OK for 64-bits.
Len Lawrence 2018-07-25 19:55:25 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 11 Len Lawrence 2018-07-27 09:22:27 CEST
QA agrees that we should get rid of this.  Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-08-10 15:48:43 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 12 Mageia Robot 2018-08-10 16:40:00 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0332.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.