diff -u blender-2.44/debian/changelog blender-2.44/debian/changelog --- blender-2.44/debian/changelog +++ blender-2.44/debian/changelog @@ -1,3 +1,22 @@ +blender (2.44-2ubuntu2.1) gutsy-security; urgency=low + + * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr + function in Blender 2.45 allows user-assisted remote attackers + to execute arbitrary code via a .blend file that contains a crafted + Radiance RGBE image (LP: #222592) + - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow. + - CVE-2008-1102 + * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in + Blender 2.46 allows local users to execute arbitrary code via a Trojan + horse Python file in the current working directory, related to an + erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501) + - 01_sanitize_sys.path: Debian patch to no longer load modules from + current dir. Slightly modified from Debian patch as per recommendation + from debian patch author. + - CVE-2008-4863 + + -- Stefan Lesicnik Wed, 21 Jan 2009 10:34:10 +0200 + blender (2.44-2ubuntu2) gutsy; urgency=low * Switch over to python 2.5 (Closes LP: #116540). diff -u blender-2.44/debian/patches/00list blender-2.44/debian/patches/00list --- blender-2.44/debian/patches/00list +++ blender-2.44/debian/patches/00list @@ -1,5 +1,7 @@ +01_sanitize_sys.path 02_tmp_in_HOME 04_de_po_fix 10_gnukfreebsd_support 20_gcc4.3_support +20_CVE-2008-1102.dpatch 30_gameengine-libgl-location-fix only in patch2: unchanged: --- blender-2.44.orig/debian/patches/01_sanitize_sys.path +++ blender-2.44/debian/patches/01_sanitize_sys.path @@ -0,0 +1,24 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## debian/patches/01_sanitize_sys.path by James Vega +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/blender/+bug/319501 +## DP: Upstream: http://patch-tracking.debian.net/patch/series/view/blender/2.42a-8/01_sanitize_sys.path +## DP: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632 +## DP: Description: Sanitize sys.path to prevent relative imports loading modules in the current working directory. Modified from Debian patch. +## DP: No longer load modules from current directory in Python scripts. +## DP: CVE-2008-4863 +@@DPATCH@@ +--- a/source/blender/python/BPY_interface.c ++++ b/source/blender/python/BPY_interface.c +@@ -225,6 +225,10 @@ + //Start the interpreter + Py_Initialize( ); + PySys_SetArgv( argc_copy, argv_copy ); ++ /* Sanitize sys.path to prevent relative imports loading modules in ++ * the current working directory ++ */ ++ PyRun_SimpleString("import sys; sys.path.pop(0)"); + + /* Initialize thread support (also acquires lock) */ + PyEval_InitThreads(); only in patch2: unchanged: --- blender-2.44.orig/debian/patches/20_CVE-2008-1102.dpatch +++ blender-2.44/debian/patches/20_CVE-2008-1102.dpatch @@ -0,0 +1,21 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 20_CVE-2008-1102.dpatch by Stefan Lesicnik +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/blender/+bug/222592 +## DP: Upsteam: https://svn.blender.org/svnroot/bf-blender/trunk/blender/source/blender/imbuf/intern/radiance_hdr.c +## DP: Description: Upstream patch to address stack overflow +@DPATCH@ +diff -urNad blender-2.44~/source/blender/imbuf/intern/radiance_hdr.c blender-2.44/source/blender/imbuf/intern/radiance_hdr.c +--- blender-2.44~/source/blender/imbuf/intern/radiance_hdr.c 2006-03-23 19:16:48.000000000 +0200 ++++ blender-2.44/source/blender/imbuf/intern/radiance_hdr.c 2009-01-16 09:42:55.000000000 +0200 +@@ -191,7 +191,8 @@ + } + } + if (found) { +- sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width); ++ if (sscanf((char *)&mem[x+1], "%79s %d %79s %d", (char*)&oriY, &height, ++ (char*)&oriX, &width) != 4) return NULL; + + /* find end of this line, data right behind it */ + ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n');