diff -u blender-2.45/debian/changelog blender-2.45/debian/changelog --- blender-2.45/debian/changelog +++ blender-2.45/debian/changelog @@ -1,3 +1,22 @@ +blender (2.45-4ubuntu1.1) hardy-security; urgency=low + + * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr + function in Blender 2.45 allows user-assisted remote attackers + to execute arbitrary code via a .blend file that contains a crafted + Radiance RGBE image (LP: #222592) + - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow. + - CVE-2008-1102 + * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in + Blender 2.46 allows local users to execute arbitrary code via a Trojan + horse Python file in the current working directory, related to an + erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501) + - 01_sanitize_sys.path: Debian patch to no longer load modules from + current dir. Slightly modified from Debian patch as per recommendation + from debian patch author. + - CVE-2008-4863 + + -- Stefan Lesicnik Wed, 21 Jan 2009 10:01:23 +0200 + blender (2.45-4ubuntu1) hardy; urgency=low * Merge from Debian unstable. Remaining Ubuntu changes: diff -u blender-2.45/debian/patches/series blender-2.45/debian/patches/series --- blender-2.45/debian/patches/series +++ blender-2.45/debian/patches/series @@ -1,6 +1,8 @@ +01_sanitize_sys.path 02_tmp_in_HOME 04_de_po_fix 10_gnukfreebsd_support 20_gcc4.3_support +20_CVE-2008-1102.diff 30_gameengine-libgl-location-fix 50_debian_build_config only in patch2: unchanged: --- blender-2.45.orig/debian/patches/20_CVE-2008-1102.diff +++ blender-2.45/debian/patches/20_CVE-2008-1102.diff @@ -0,0 +1,19 @@ +# +# Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/blender/+bug/222592 +# Upsteam: https://svn.blender.org/svnroot/bf-blender/trunk/blender/source/blender/imbuf/intern/radiance_hdr.c +# Description: Upstream patch to address stack overflow +# +Index: blender-2.45/source/blender/imbuf/intern/radiance_hdr.c +=================================================================== +--- blender-2.45.orig/source/blender/imbuf/intern/radiance_hdr.c 2009-01-15 13:21:10.000000000 +0200 ++++ blender-2.45/source/blender/imbuf/intern/radiance_hdr.c 2009-01-15 13:25:24.000000000 +0200 +@@ -191,7 +191,8 @@ + } + } + if (found) { +- sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width); ++ if (sscanf((char *)&mem[x+1], "%79s %d %79s %d", (char*)&oriY, &height, ++ (char*)&oriX, &width) != 4) return NULL; + + /* find end of this line, data right behind it */ + ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n'); only in patch2: unchanged: --- blender-2.45.orig/debian/patches/01_sanitize_sys.path +++ blender-2.45/debian/patches/01_sanitize_sys.path @@ -0,0 +1,19 @@ +# +# Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/blender/+bug/319501 +# Upstream: http://patch-tracking.debian.net/patch/series/view/blender/2.42a-8/01_sanitize_sys.path +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632 +# Description: Sanitize sys.path to prevent relative imports loading modules in the current working directory. Modified from Debian patch. +# +--- a/source/blender/python/BPY_interface.c ++++ b/source/blender/python/BPY_interface.c +@@ -225,6 +225,10 @@ + //Start the interpreter + Py_Initialize( ); + PySys_SetArgv( argc_copy, argv_copy ); ++ /* Sanitize sys.path to prevent relative imports loading modules in ++ * the current working directory ++ */ ++ PyRun_SimpleString("import sys; sys.path.pop(0)"); + + /* Initialize thread support (also acquires lock) */ + PyEval_InitThreads();