Bug 7065 - blender missing update for security issue CVE-2009-3850
Summary: blender missing update for security issue CVE-2009-3850
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/451501/
Whiteboard: MGA1-64-OK, MGA1-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-08-14 23:52 CEST by David Walser
Modified: 2012-10-30 23:56 CET (History)
2 users (show)

See Also:
Source RPM: blender-2.49b-11.3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Comment 1 David Walser 2012-10-28 06:25:50 CET 
Patched package uploaded for Mageia 1.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Assignee: fundawang => qa-bugs

Comment 2 David Walser 2012-10-28 06:42:44 CET 
Correction: we're only shipping the core (not tainted) blender package.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm
Comment 3 claire robinson 2012-10-29 19:28:06 CET 
Possible PoC: http://www.coresecurity.com/content/blender-scripting-injection
Comment 4 Marc Lattemann 2012-10-30 23:02:45 CET 
tested successfully on mga1 x86_64 using PoC from Comment 3:

inserting
      import os
      os.system("/usr/bin/lxterminal")
as described opens a new terminal directly after loading .bend file

after update nothing happens anymore.
Will repeat it with i586 shortly.

CC: (none) => marc.lattemann
Whiteboard: (none) => MGA1-64-OK

Comment 5 Marc Lattemann 2012-10-30 23:20:41 CET 
same test performed on mga1 i586 with same results.

validate updates.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Could someone from the sysadmins push it to Updates? Thanks.

Keywords: (none) => validated_update
CC: marc.lattemann => sysadmin-bugs
Whiteboard: MGA1-64-OK => MGA1-64-OK, MGA1-32-OK

Comment 6 Thomas Backlund 2012-10-30 23:56:46 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0319

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.