Fedora has issued an advisory on June 21, 2011: http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html They have a patch (from Gentoo) here: http://pkgs.fedoraproject.org/cgit/blender.git/plain/blender-2.49b-CVE-2009-3850-v4.patch?h=f15&id=c809a85d807e3eb15ecc0ea487e6893278405470
Patched package uploaded for Mageia 1. Advisory: ======================== Updated blender package fixes security vulnerability: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA (CVE-2009-3850). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850 http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== blender-2.49b-11.4.mga1 from blender-2.49b-11.4.mga1.src.rpm
Assignee: fundawang => qa-bugs
Correction: we're only shipping the core (not tainted) blender package. Advisory: ======================== Updated blender package fixes security vulnerability: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA (CVE-2009-3850). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850 http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html ======================== Updated packages in core/updates_testing: ======================== blender-2.49b-11.4.mga1 from blender-2.49b-11.4.mga1.src.rpm
Possible PoC: http://www.coresecurity.com/content/blender-scripting-injection
tested successfully on mga1 x86_64 using PoC from Comment 3: inserting import os os.system("/usr/bin/lxterminal") as described opens a new terminal directly after loading .bend file after update nothing happens anymore. Will repeat it with i586 shortly.
CC: (none) => marc.lattemannWhiteboard: (none) => MGA1-64-OK
same test performed on mga1 i586 with same results. validate updates. Advisory: ======================== Updated blender package fixes security vulnerability: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA (CVE-2009-3850). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850 http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html ======================== Updated packages in core/updates_testing: ======================== blender-2.49b-11.4.mga1 from blender-2.49b-11.4.mga1.src.rpm Could someone from the sysadmins push it to Updates? Thanks.
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugsWhiteboard: MGA1-64-OK => MGA1-64-OK, MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0319
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED