Dear RMs, the upcoming 2.42a-6 of blender addresses CVE-2007-1253 (eval injection vulnerability in the kmz_ImportWithMesh.py script) currently affecting unstable/testing only. Upstream's take on this issue was to simply remove the buggy script, and we decided to follow suit, so this fix is basically a one-liner.
However, there are some late documentation fixes and an update to debian/copyright we'd like to include as well, so I'm wondering whether you might find the attached debdiff acceptable. If not I will upload a new -6 containing just the changes you deem acceptable and ask for propagation to testing once it will be built. Cheers, Flo
diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog
--- blender-2.42a/debian/changelog
+++ blender-2.42a/debian/changelog
@@ -1,3 +1,14 @@
+blender (2.42a-6) unstable; urgency=high
+
+ * Security: No longer ship the kmz_ImportWithMesh.py script since it allows
+ user-assisted remote attackers to execute arbitrary Python code by
+ importing a crafted (1) KML or (2) KMZ file [CVE-2007-1253].
+ * Updated copyright to reflect the actual license (Closes: #407917).
+ * Added documentation (NEWS, README.Debian) about 64-bit related risks.
+ * Added myself to the Uploaders.
+
+ -- Cyril Brulebois <[EMAIL PROTECTED]> Wed, 14 Mar 2007 11:06:13 +0100
+
blender (2.42a-5) unstable; urgency=high
* urgency=high due to RC bugfix targetted at testing
diff -u blender-2.42a/debian/control blender-2.42a/debian/control
--- blender-2.42a/debian/control
+++ blender-2.42a/debian/control
@@ -2,7 +2,7 @@
Section: graphics
Priority: optional
Maintainer: Debian Blender Maintainers <[EMAIL PROTECTED]>
-Uploaders: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>, Florian Ernst <[EMAIL
PROTECTED]>, Wouter van Heyst <[EMAIL PROTECTED]>
+Uploaders: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>, Florian Ernst <[EMAIL
PROTECTED]>, Wouter van Heyst <[EMAIL PROTECTED]>, Cyril Brulebois <[EMAIL
PROTECTED]>
Build-Depends: debhelper (>= 5.0.37.2), dpatch, ftgl-dev (>= 2.0.9-1), gettext
(>= 0.14.1), libgettextpo-dev, libglut-dev, libjpeg-dev, libpng-dev,
libsdl-dev, libz-dev, python2.4-dev, python-central (>= 0.4.17), scons,
libtiff4-dev, libopenexr-dev, libavformat-dev, libxi-dev, autotools-dev,
pkg-config, g++-3.3 [mips mipsel]
XS-Python-Version: 2.4
Standards-Version: 3.7.2
diff -u blender-2.42a/debian/rules blender-2.42a/debian/rules
--- blender-2.42a/debian/rules
+++ blender-2.42a/debian/rules
@@ -120,6 +120,9 @@
cp $(CURDIR)/debian/blender.linda-overrides \
$(CURDIR)/debian/blender/usr/share/linda/overrides/blender
+ # Needed removal, insecure script, see CVE-2007-1253
+ rm
$(CURDIR)/debian/blender/usr/lib/blender/scripts/kmz_ImportWithMesh.py
+
# Build architecture-independent files here.
binary-indep: build install
diff -u blender-2.42a/debian/copyright blender-2.42a/debian/copyright
--- blender-2.42a/debian/copyright
+++ blender-2.42a/debian/copyright
@@ -9,7 +9,7 @@
Basically, Blender is now GPL'd:
- Copyright (C) 2002 Blender Foundation.
+ Copyright (C) 2002-2005 Blender Foundation.
Blender is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
@@ -24,53 +24,42 @@
- On Debian GNU/Linux systems, the complete text of the GNU General
- Public License can be found in /usr/share/common-licenses/GPL'.
+On Debian GNU/Linux systems, the complete text of the GNU General
+Public License can be found in /usr/share/common-licenses/GPL'.
-However, they offer the following license as an alternative, too:
- Blender License 1.0 (the "BL", see http://www.blender.org/BL/ ).
+However, the following license is offered as an alternative:
- Copyright (C) 2002 Blender Foundation. All Rights Reserved.
-
- For teams that don't want to operate under the GPL, we're also offering
- this "non-GPL" Blender License option. This means that you can download
- the latest sources and tools via FTP or CVS from our site and sign an
- additional agreement with the Blender Foundation, so you can keep your
- source modifications confidential. Contact the Blender Foundation via
- email at [EMAIL PROTECTED] so we can discuss how we handle the
- practical matters.
-
- A signed agreement allows you to do business with proprietary code, make
- special derived versions, sell executables, projects or services,
- provided that:
-
- 1. The BL-ed code remains copyrighted by the original owners, and cannot
- be transferred to other parties
-
- 2. The BL-ed code cannot be published or re-distributed in any way, and
- only be available for the internal staff that works directly on the
- software itself. Employees of partners with which you co-develop on the
- projects that include BL-ed code are considered 'internal staff' also.
-
- 3. The BL-ed code can be used (sold, distributed) in parts or in its
- whole only as an executable or as a compiled library/module and its
- header files.
-
- 4. The usage of the name Blender or the Blender logo is not included in
- this license. Instead 'including Blender Foundation release X' (or
- similar) can be used, with 'X' the version number of the initial Blender
- Foundation release which you started with.
-
- 5. Note that this BL has no authority over some of the external
- libraries licenses which Blender links with.
-
- Additionally you get :
-
- 1. The right to use Blender Foundation source updates for a 1 year
- period.
-
- 2. Support. Details to be determined by the additional agreement.
-
- You are invited to donate your proprietary changes back to the open
- source community after a reasonable time period. You are of course free
- to choose not to do this.
+ Blender License (the "BL", see http://www.blender.org/BL/ ).
+
+ Copyright (C) 2002-2005 Blender Foundation. All Rights Reserved.
+
+ This text supersedes the previous BL description, called Blender License 1.0.
+
+ When the Blender source code was released in 2002, the Blender Foundation
reserved
+ the right to offer licenses outside of the GNU GPL. This so-called "dual
license"
+ model was chosen to provide potential revenues for the Blender Foundation.
+
+ The BL has not been activated yet. Partially because;
+
+ - there has to be a clear benefit for Blender itself and its community of
+ developers and users.
+ - the developers who have copyrighted additions to the source code need to
approve
+ the decision.
+ - the (c) holder NaN Holding has to approve on a standard License Contract
+
+ But most important;
+
+ - the Blender Foundation is financially healthy, based on community support
+ (e-shop sales), sponsoring and subsidy grants
+ - current focus for the Blender Foundation is to not set up any commercial
+ activity related to Blender development.
+ - the GNU GPL provides sufficient freedom for third parties to conduct
business
+ with Blender
+
+ For these reasons we've decided to cancel the BL offering for an indefinite
period.
+
+ Third parties interested to discuss usage or exploitation of Blender can
email
+ [EMAIL PROTECTED] for further information.
+
+ Ton Roosendaal
+ Chairman Blender Foundation.
+ June 2005
- End of BL terms and conditions.
diff -u blender-2.42a/debian/README.Debian blender-2.42a/debian/README.Debian
--- blender-2.42a/debian/README.Debian
+++ blender-2.42a/debian/README.Debian
@@ -1,18 +1,46 @@
+blender (2.42a-6) unstable; urgency=high
+
+ * As of 2.43, one needs to use a ``YESIAMSTUPID'' macro in
+ source/creator/creator.c to be able to compile Blender on a 64-bit system.
+ This matter has not been advertised, but it mainly resides in the fact
+ that Blender is not 64-bit safe, in particular with respect to saved and
+ loaded files, especially when that happens between 32-bit and 64-bit
+ systems. Attention was paid to 64-bit systems, efforts were made, but not
+ enough to get a releasable version on those systems.
+
+ * So, be aware that there might be issues with files manipulated on 64-bit
+ systems, although everything could be or look fine. The file format might
+ also change in further releases to make it 64-bit safe, which might lead
+ to incompatibilities with the files saved with the current 64-bit builds.
+
+ * After the 2.43 release, the lead developer also promised (on Freenode, on
+ the #blendercoders chan):
+ ``We won't do another release without 64 bits blender!''
+ This problem is a priority, and it will be addressed in CVS as soon as
+ possible, possibly for 2.44.
+
+ * Interested readers might want to refer to the following thread on
+ upstream's bf-committers list:
+
http://projects.blender.org/pipermail/bf-committers/2007-January/017258.html
+
+ -- Cyril Brulebois <[EMAIL PROTECTED]> Mon, 14 Mar 2007 11:46:00 +0100
+
blender (2.40-1) unstable; urgency=low
- As blender is generally trying to get the most out of your graphics hardware
- it might trigger bugs in the corresponding drivers without actually being
- responsible for any malfunctioning.
- If you experience strange crashes please always try checking your setup first
- as outlined in
- http://dri.freedesktop.org/wiki/TestingAndDebugging
- as well as the Debian bugreport
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273651
- I.e., try running blender via "LIBGL_ALWAYS_INDIRECT=1 blender" and see
whether
- this will resolve the problem for you.
-
- Furthermore, please note that starting with the 2.40-1 release blender will
- quit writing its autosave files to /tmp but it will use $HOME/.blender/
- instead by default.
+ * As blender is generally trying to get the most out of your graphics
+ hardware it might trigger bugs in the corresponding drivers without
+ actually being responsible for any malfunctioning. If you experience
+ strange crashes please always try checking your setup first as outlined in
+ http://dri.freedesktop.org/wiki/TestingAndDebugging
+
+ as well as the Debian bugreport
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273651
+
+ I.e., try running blender via "LIBGL_ALWAYS_INDIRECT=1 blender" and see
+ whether this will resolve the problem for you.
+
+ * Furthermore, please note that starting with the 2.40-1 release blender
+ will quit writing its autosave files to /tmp but it will use
+ $HOME/.blender/ instead by default.
-- Florian Ernst <[EMAIL PROTECTED]> Tue, 10 Jan 2006 13:26:43 +0100
only in patch2:
unchanged:
--- blender-2.42a.orig/debian/NEWS
+++ blender-2.42a/debian/NEWS
@@ -0,0 +1,16 @@
+blender (2.42a-6) unstable; urgency=high
+
+ * Blender is not 64-bit safe (yet), in particular with respect to saved and
+ loaded files, especially when that happens between 32-bit and 64-bit
+ systems. Attention was paid to 64-bit systems, efforts were made, but not
+ enough to get a releasable version on those systems.
+
+ * So, be aware that there might be issues with files manipulated on 64-bit
+ systems, although everything could be or look fine. The file format might
+ also change in further releases to make it 64-bit safe, which might lead
+ to incompatibilities with the files saved with the current 64-bit builds.
+
+ * More information is available in the README.Debian file, available under
+ /usr/share/doc/blender/.
+
+ -- Cyril Brulebois <[EMAIL PROTECTED]> Mon, 14 Mar 2007 12:01:01 +0100
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files only in first set of .debs, found in package blender
----------------------------------------------------------
-rw-r--r-- root/root /usr/lib/blender/scripts/kmz_ImportWithMesh.py
New files in second set of .debs, found in package blender
----------------------------------------------------------
-rw-r--r-- root/root /usr/share/doc/blender/NEWS.Debian.gz
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.42a-5-] {+2.42a-6+}
Depends: liba52-0.7.4, libavcodec0d (>= 0.cvs20060823), libavformat0d (>=
0.cvs20060823), libc6 (>= 2.3.6-6), libdc1394-13, libfreetype6 (>= 2.2),
libgcc1 (>= 1:4.1.1-12), libgettextpo0, libgl1-mesa-glx | libgl1, libglu1-mesa
| libglu1, libgsm1 (>= 1.0.10), libjpeg62, libogg0 (>= 1.1.3), libopenexr2c2a
(>= 1.2.2), libpng12-0 (>= [-1.2.8rel),-] {+1.2.13-4),+} libraw1394-8,
libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.1.1-12), libvorbis0a (>=
1.1.2), libvorbisenc2 (>= 1.1.2), libx11-6, libxi6, python2.4 (>= 2.3.90),
zlib1g (>= 1:1.2.1), python-central (>= 0.5.8)
Installed-Size: [-16144-] {+15900+}
signature.asc
Description: Digital signature
