Bug 7065 - blender missing update for security issue CVE-2009-3850
: blender missing update for security issue CVE-2009-3850
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/451501/
: MGA1-64-OK, MGA1-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-14 23:52 CEST by David Walser
Modified: 2012-10-30 23:56 CET (History)
2 users (show)

See Also:
Source RPM: blender-2.49b-11.3.mga1.src.rpm
CVE:


Attachments

Comment 1 David Walser 2012-10-28 06:25:50 CET
Patched package uploaded for Mageia 1.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm
Comment 2 David Walser 2012-10-28 06:42:44 CET
Correction: we're only shipping the core (not tainted) blender package.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm
Comment 3 claire robinson 2012-10-29 19:28:06 CET
Possible PoC: http://www.coresecurity.com/content/blender-scripting-injection
Comment 4 Marc Lattemann 2012-10-30 23:02:45 CET
tested successfully on mga1 x86_64 using PoC from Comment 3:

inserting
      import os
      os.system("/usr/bin/lxterminal")
as described opens a new terminal directly after loading .bend file

after update nothing happens anymore.
Will repeat it with i586 shortly.
Comment 5 Marc Lattemann 2012-10-30 23:20:41 CET
same test performed on mga1 i586 with same results.

validate updates.

Advisory:
========================

Updated blender package fixes security vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute
arbitrary code via a .blend file that contains Python statements in the
onLoad action of a ScriptLink SDNA (CVE-2009-3850).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062616.html
========================

Updated packages in core/updates_testing:
========================
blender-2.49b-11.4.mga1

from blender-2.49b-11.4.mga1.src.rpm

Could someone from the sysadmins push it to Updates? Thanks.
Comment 6 Thomas Backlund 2012-10-30 23:56:46 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0319

Note You need to log in before you can comment on or make changes to this bug.