[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Changed in: gentoo Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/222592 Title: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
Launchpad has imported 18 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=219008. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2008-04-23T11:22:16+00:00 lars wrote: Secunia Research has discovered a vulnerability in Blender, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the imb_loadhdr() function in source/blender/imbuf/intern/radiance_hdr.c, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted Blender (*.blend) file containing a malicious Radiance RGBE image. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.45. Other versions may also be affected. Solution: Fixed in the SVN repository. Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/0 On 2008-04-24T08:23:48+00:00 Thoger-redhat wrote: Fixed in the SVN repository. Revisions 14432, 14451, 14461 Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/1 On 2008-04-27T12:26:22+00:00 Maekke-gentoo wrote: I bumped blender in cvs with the following patch: http://cvs.fedora.redhat.com/viewcvs/rpms/blender/F-9/blender-2.45-cve-2008-1102.patch?sortby=dateview=markup The new revisions are: blender-2.45-r3: ~arch (masked for =media-video/ffmpeg-0.4.9_p20080326) blender-2.45-r2 ~arch blender-2.43-r1 stable candidate Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/3 On 2008-05-03T19:44:09+00:00 Rbu wrote: CVE-2008-1103 is public now too: Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to temporary file issues. I don't know what the situation is with a patch there. Markus, do you? Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/4 On 2008-05-03T19:44:53+00:00 Rbu wrote: *** Bug 217694 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/5 On 2008-05-07T21:10:02+00:00 Maekke-gentoo wrote: (In reply to comment #3) CVE-2008-1103 is public now too: Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to temporary file issues. I don't know what the situation is with a patch there. Markus, do you? grabbed patches fro CVE-2008-1103 from fedora: http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-1.patch?sortby=date http://cvs.fedora.redhat.com/viewcvs/*checkout*/rpms/blender/F-9/blender-2.45-cve-2008-1103-2.patch?sortby=date The new revisions are: media-gfx/blender-2.45-r4 ~arch media-gfx/blender-2.43-r2 stable candidate no new revision (but patches added) for p.masked version (media- gfx/blender-2.45-r3) Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/10 On 2008-05-08T07:52:32+00:00 Rbu wrote: Arches, please test and mark stable: =media-gfx/blender-2.43-r2 Target keywords : ppc ppc64 release x86 Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/11 On 2008-05-08T14:47:58+00:00 Christian Faulhammer wrote: x86 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/12 On 2008-05-09T14:29:30+00:00 Corsair-5 wrote: ppc64 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/13 On 2008-05-11T12:09:38+00:00 Dertobi123 wrote: ppc stable Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/14 On 2008-05-11T13:08:45+00:00 Maekke-gentoo wrote: 11 May 2008; Markus Meier mae...@gentoo.org -blender-2.43.ebuild: old Reply at: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/222592/comments/15 On 2008-05-11T13:11:26+00:00 Py wrote: GLSA request filed. Reply at:
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Changed in: gentoo Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/222592 Title: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Branch linked: lp:ubuntu/dapper-updates/blender ** Branch linked: lp:~ubuntu-branches/ubuntu/gutsy/blender/gutsy- security ** Branch linked: lp:ubuntu/hardy-updates/blender -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
This bug was fixed in the package blender - 2.44-2ubuntu2.1 --- blender (2.44-2ubuntu2.1) gutsy-security; urgency=low * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr function in Blender 2.45 allows user-assisted remote attackers to execute arbitrary code via a .blend file that contains a crafted Radiance RGBE image (LP: #222592) - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow. - CVE-2008-1102 * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501) - 01_sanitize_sys.path: Debian patch to no longer load modules from current dir. Slightly modified from Debian patch as per recommendation from debian patch author. - CVE-2008-4863 -- Stefan Lesicnik ste...@lsd.co.za Wed, 21 Jan 2009 10:34:10 +0200 ** Changed in: blender (Ubuntu Gutsy) Status: In Progress = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-4863 ** Changed in: blender (Ubuntu Hardy) Status: In Progress = Fix Released -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
This bug was fixed in the package blender - 2.45-4ubuntu1.1 --- blender (2.45-4ubuntu1.1) hardy-security; urgency=low * SECURITY UPDATE: Stack-based buffer overflow in the imb_loadhdr function in Blender 2.45 allows user-assisted remote attackers to execute arbitrary code via a .blend file that contains a crafted Radiance RGBE image (LP: #222592) - 20_CVE-2008-1102.diff: Upstream patch to address stack overflow. - CVE-2008-1102 * SECURITY UPDATE: Untrusted search path vulnerability in BPY_interface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. (LP: #319501) - 01_sanitize_sys.path: Debian patch to no longer load modules from current dir. Slightly modified from Debian patch as per recommendation from debian patch author. - CVE-2008-4863 -- Stefan Lesicnik ste...@lsd.co.za Wed, 21 Jan 2009 10:01:23 +0200 -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Attachment added: debdiff-hardy http://launchpadlibrarian.net/21513679/debdiff-hardy -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Attachment added: build-hardy http://launchpadlibrarian.net/21513692/build-hardy -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Attachment added: debdiff-gutsy http://launchpadlibrarian.net/21513887/debdiff-gutsy -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Attachment added: build-gutsy http://launchpadlibrarian.net/21514055/build-gutsy ** Changed in: blender (Ubuntu Gutsy) Status: Confirmed = In Progress ** Changed in: blender (Ubuntu Hardy) Status: Confirmed = In Progress -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
Update was released to fix this issue: http://www.ubuntu.com/usn/usn-699-1 ** Changed in: blender (Ubuntu Gutsy) Status: New = Confirmed ** Changed in: blender (Ubuntu Hardy) Status: New = Confirmed ** Changed in: blender (Ubuntu Jaunty) Status: Triaged = Invalid ** Changed in: blender (Ubuntu Intrepid) Status: New = Invalid ** Changed in: blender (Ubuntu Dapper) Status: New = Fix Released ** Changed in: blender (Ubuntu Jaunty) Importance: High = Undecided -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
I've just merged 2.45-5 from Debian unstable, which addresses this. Unfortunately, I've not used -v for dpkg-buildpackage, so here's the Debian changelog snippet for reference: * Fix CVE-2008-1102: “Stack-based buffer overflow in the imb_loadhdr function allows user-assisted remote attackers to execute arbitrary code via a .blend file that contains a crafted Radiance RGBE image.” Add upstream patch as pointed to by Tomas Hoger [EMAIL PROTECTED] (thanks!), which basically adds a check on sscanf() return code and limits the size of accepted %s parameters (Closes: #477808): - 30_fix_CVE-2008-1102. ** Changed in: blender (Ubuntu) Importance: Undecided = High -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Changed in: gentoo Status: Fix Released = Confirmed -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Bug watch added: Gentoo Bugzilla #219008 http://bugs.gentoo.org/show_bug.cgi?id=219008 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=219008 Importance: Unknown Status: Unknown -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Changed in: gentoo Status: Unknown = Fix Released -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
SUSE-SR:2008:010 also mentions CVE-2008-1103: »Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to temporary file issues.« ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1103 -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
CVE-2008-1103 is a separate set of problems and is best tracked in another bug report. I asked in the comments whether bug #6671 was the same problem as CVE-2008-1103 but received no reply. I have just filed bug #227345 to track CVE-2008-1103. ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1103 -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
Sorry, I just tend to group CVEs as I find them in various security advisories. It's not always easy to figure out which ones belong together, especially if you try to report a greater amount of accumulated bugs in a limit period of time. -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
This has been fixed in Debian, see http://www.debian.org/security/2008/dsa-1567 -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Bug watch added: Debian Bug tracker #477808 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477808 ** Also affects: blender (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477808 Importance: Unknown Status: Unknown ** Changed in: blender (Ubuntu) Status: New = Triaged -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 222592] Re: [CVE-2008-1102] Blender imb_loadhdr() buffer overflow
** Changed in: blender (Debian) Status: Unknown = Fix Released -- [CVE-2008-1102] Blender imb_loadhdr() buffer overflow https://bugs.launchpad.net/bugs/222592 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs