[CVE-2008-1102] Blender imb_loadhdr() buffer overflow

Bug #222592 reported by Till Ulen on 2008-04-26
254
Affects Status Importance Assigned to Milestone
Gentoo Linux
Fix Released
Medium
blender (Debian)
Fix Released
Unknown
blender (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
Unassigned
Intrepid
Undecided
Unassigned
Jaunty
Undecided
Unassigned

Bug Description

Binary package hint: blender

CVE-2008-1102 description:

"Stack-based buffer overflow in the imb_loadhdr function in Blender 2.45 allows user-assisted remote attackers to execute arbitrary code via a .blend file that contains a crafted Radiance RGBE image."

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1102
http://secunia.com/secunia_research/2008-16/advisory/

Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "imb_loadhdr()" function in source/blender/imbuf/intern/radiance_hdr.c, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted Blender (*.blend) file containing a malicious Radiance RGBE image.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 2.45. Other versions may also be affected.

Solution:
Fixed in the SVN repository.

> Fixed in the SVN repository.

Revisions 14432, 14451, 14461

I bumped blender in cvs with the following patch:
http://cvs.fedora.redhat.com/viewcvs/rpms/blender/F-9/blender-2.45-cve-2008-1102.patch?sortby=date&view=markup

The new revisions are:
blender-2.45-r3: ~arch (masked for >=media-video/ffmpeg-0.4.9_p20080326)
blender-2.45-r2 ~arch
blender-2.43-r1 stable candidate

CVE-2008-1103 is public now too:
Multiple unspecified vulnerabilities in Blender have unknown impact and attack
vectors, related to "temporary file issues."

I don't know what the situation is with a patch there. Markus, do you?

*** Bug 217694 has been marked as a duplicate of this bug. ***

Till Ulen (tillulen) wrote :

This has been fixed in Debian, see http://www.debian.org/security/2008/dsa-1567

Daniel Hahler (blueyed) on 2008-05-05
Changed in blender:
status: New → Triaged
Changed in blender:
status: Unknown → Fix Released

SUSE-SR:2008:010 also mentions CVE-2008-1103:
»Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues."«

Till Ulen (tillulen) wrote :

CVE-2008-1103 is a separate set of problems and is best tracked in another bug report. I asked in the comments whether bug #6671 was the same problem as CVE-2008-1103 but received no reply. I have just filed bug #227345 to track CVE-2008-1103.

Sorry, I just tend to group CVEs as I find them in various security advisories. It's not always easy to figure out which ones belong together, especially if you try to report a greater amount of accumulated bugs in a limit period of time.

(In reply to comment #3)
> CVE-2008-1103 is public now too:
> Multiple unspecified vulnerabilities in Blender have unknown impact and attack
> vectors, related to "temporary file issues."
>
> I don't know what the situation is with a patch there. Markus, do you?
>

grabbed patches fro CVE-2008-1103 from fedora:
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-1.patch?sortby=date
http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-2.patch?sortby=date

The new revisions are:
media-gfx/blender-2.45-r4 ~arch
media-gfx/blender-2.43-r2 stable candidate

no new revision (but patches added) for p.masked version (media-gfx/blender-2.45-r3)

Arches, please test and mark stable:
=media-gfx/blender-2.43-r2
Target keywords : "ppc ppc64 release x86"

x86 stable

ppc64 stable

ppc stable

  11 May 2008; Markus Meier <email address hidden> -blender-2.43.ebuild:
  old

In , Py (py) wrote :

GLSA request filed.

In , pva (pva) wrote :

Fixed in release snapshot.

In , Py (py) wrote :

GLSA 200805-12

Please note that cve-2008-1103-1.patch and cve-2008-1103-2.patch in Fedora packages do not resolve CVE-2008-1103 completely, only /tmp/quit.blend part of the issue. See also:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103#c8

Thanks for the info.

Reopening for maintainer advise.

Daniel Hahler (blueyed) wrote :

I've just merged 2.45-5 from Debian unstable, which addresses this.
Unfortunately, I've not used "-v" for dpkg-buildpackage, so here's the Debian changelog snippet for reference:
   * Fix CVE-2008-1102: “Stack-based buffer overflow in the imb_loadhdr
     function allows user-assisted remote attackers to execute arbitrary
     code via a .blend file that contains a crafted Radiance RGBE image.”
     Add upstream patch as pointed to by Tomas Hoger <email address hidden>
     (thanks!), which basically adds a check on sscanf() return code and
     limits the size of accepted %s parameters (Closes: #477808):
      - 30_fix_CVE-2008-1102.

Changed in blender:
importance: Undecided → High

Hmm. Only blender-2.48a-r3 is left in tree.. if the CVE fixes ever went upstream, they should be in by now.

Marc Deslauriers (mdeslaur) wrote :

Update was released to fix this issue: http://www.ubuntu.com/usn/usn-699-1

Changed in blender:
status: New → Confirmed
status: New → Confirmed
status: Triaged → Invalid
status: New → Invalid
status: New → Fix Released
Changed in blender:
importance: High → Undecided
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Changed in blender:
status: Confirmed → In Progress
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package blender - 2.44-2ubuntu2.1

---------------
blender (2.44-2ubuntu2.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr
    function in Blender 2.45 allows user-assisted remote attackers
    to execute arbitrary code via a .blend file that contains a crafted
    Radiance RGBE image (LP: #222592)
    - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow.
    - CVE-2008-1102
  * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in
    Blender 2.46 allows local users to execute arbitrary code via a Trojan
    horse Python file in the current working directory, related to an
    erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501)
    - 01_sanitize_sys.path: Debian patch to no longer load modules from
      current dir. Slightly modified from Debian patch as per recommendation
      from debian patch author.
    - CVE-2008-4863

 -- Stefan Lesicnik <email address hidden> Wed, 21 Jan 2009 10:34:10 +0200

Changed in blender:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package blender - 2.45-4ubuntu1.1

---------------
blender (2.45-4ubuntu1.1) hardy-security; urgency=low

  * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr
    function in Blender 2.45 allows user-assisted remote attackers
    to execute arbitrary code via a .blend file that contains a crafted
    Radiance RGBE image (LP: #222592)
    - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow.
    - CVE-2008-1102
  * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in
    Blender 2.46 allows local users to execute arbitrary code via a Trojan
    horse Python file in the current working directory, related to an
    erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501)
    - 01_sanitize_sys.path: Debian patch to no longer load modules from
      current dir. Slightly modified from Debian patch as per recommendation
      from debian patch author.
    - CVE-2008-4863

 -- Stefan Lesicnik <email address hidden> Wed, 21 Jan 2009 10:01:23 +0200

Changed in blender:
status: In Progress → Fix Released
Changed in gentoo:
importance: Unknown → Medium

CVE-2008-1102: fixed in =media-gfx/blender-2.43-r2 / GLSA 200805-12
CVE-2008-1103: patch had an incomplete fix in =media-gfx/blender-2.43-r2 / GLSA 200805-12. First fixed was =media-gfx/blender-2.48a-r3

Changed in gentoo:
status: Confirmed → Unknown

@security: blender is now package.masked and older versions has been removed. Your call what do you want to do from here.

This issue was resolved and addressed in
 GLSA 201311-07 at http://security.gentoo.org/glsa/glsa-201311-07.xml
by GLSA coordinator Sean Amoss (ackle).

Changed in gentoo:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.