Bug 469655 (CVE-2008-4863)

Summary: CVE-2008-4863 blender: untrusted python modules search path
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugzilla, jochen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4863
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-03 07:30:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-11-03 09:27:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4863 to the following vulnerability:

Untrusted search path vulnerability in BPY_interface in Blender 2.46
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to an erroneous setting
of sys.path by the PySys_SetArgv function.

References:
http://www.openwall.com/lists/oss-security/2008/10/27/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632
Comment 1 Tomas Hoger 2008-11-03 09:29:40 UTC 
Proposed patch that sanitizes sys.path before loading modules is attached in the Debian bug report:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632#10
Comment 2 Fedora Update System 2008-11-03 17:27:15 UTC 
blender-2.48a-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc9
Comment 3 Fedora Update System 2008-11-03 17:45:27 UTC 
blender-2.48a-4.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc8
Comment 4 Fedora Update System 2008-11-12 02:54:22 UTC 
blender-2.48a-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-11-12 03:01:26 UTC 
blender-2.48a-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Chris Schanzle 2008-11-12 15:22:07 UTC 
Could the EPEL 5 version be updated also?  It's version is blender-2.45-13.el5.  Much appreciated!  [Sorry if this is not the appropriate place to request.]
Comment 7 Jochen Schmitt 2008-11-13 16:28:53 UTC 
Should be fixed in blender-2.45a-14.el5
Comment 8 Chris Schanzle 2008-11-20 16:44:40 UTC 
When is blender-2.45a-14.el5 expected in EPEL?  (don't mean to be a nag, just curious)
Comment 9 Jochen Schmitt 2008-11-20 17:44:20 UTC 
Sorry, It should be blender-2.45-14.el5. I have checked for existance of the package in the testing part of the EL-5 repository.
Comment 10 Tomas Hoger 2008-11-26 09:07:07 UTC 
blender-2.48a-4.fc10 did not make it to F10 before freeze, so will need to be submitted as update via bodhi.
Comment 11 Fedora Update System 2008-11-26 15:10:29 UTC 
blender-2.48a-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc10
Comment 12 Fedora Update System 2008-12-03 01:30:34 UTC 
blender-2.48a-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Red Hat Product Security 2008-12-03 07:30:04 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10448
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9411
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9447