Bug 533395 (CVE-2009-3850)

Summary: CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jochen, sebastian, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.coresecurity.com/content/blender-scripting-injection
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-29 07:01:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 541997, 851773    
Bug Blocks:    

Description Jan Lieskovsky 2009-11-06 15:45:11 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to
the following vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to
execute arbitrary code via a .blend file that contains Python
statements in the onLoad action of a ScriptLink SDNA.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://www.securityfocus.com/archive/1/archive/1/507706/100/0/threaded
http://www.coresecurity.com/content/blender-scripting-injection
http://www.securityfocus.com/bid/36838

Upstream patch:
---------------
Not available, see above thread, when searching
for patch addressing the issue.
Comment 1 Jan Lieskovsky 2009-11-06 15:50:57 UTC 
This issue affects the versions of the Blender package, as shipped with
Fedora release of 10, 11 and as scheduled to appear in Fedora 12.

This issue might potentially affect the version of the Blender package,
as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project.

Jochen, once the upstream patch is available, please schedule Fedora
and EPEL Blender updates.
Comment 3 Sebastian Pipping 2011-04-20 19:31:25 UTC 
Please have a look at my report and patch proposal over at <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>.  Review by Red Hat security would be welcome.
Comment 4 Jan Lieskovsky 2011-04-21 09:55:11 UTC 
(In reply to comment #3)

Hello Sebastian,

  thank you for your work on this one and for your proposal.

> Please have a look at my report and patch proposal over at
> <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>.  Review by Red Hat
> security would be welcome.

Have you tried to contact Blender upstream with your patch proposal?
What was their feedback / opinion on this?

Thank you, Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 5 Sebastian Pipping 2011-04-21 10:48:40 UTC 
(In reply to comment #4)
> Have you tried to contact Blender upstream with your patch proposal?

When asking for the developer mailing list in #blender it was proposed to go to #blendercoders.  There I talked to Campbell Barton (the Python API maintainer).


> What was their feedback / opinion on this?

As I understood him, flipping the default to no-scripts-by-default has been discussed before and is not likely to happen in the official builds.
He pointed me to this discussion <http://markmail.org/message/cu2xdhngcudl27cr>.
Comment 6 Sebastian Pipping 2011-04-21 10:53:54 UTC 
PS: I should mention what upstream did is they added a checkbox "Trusted source" to Blender 2.5x.  With that checkbox unchecked embedded scripts are not executed.  Here again the problem are the defaults: script execution enabled.
Comment 7 Sebastian Pipping 2011-04-24 18:02:53 UTC 
There is a separate bug with patch for Blender 2.57 now that you may also be interested in: <https://bugs.gentoo.org/show_bug.cgi?id=364291>. Review welcome as always.
Comment 8 Vincent Danen 2011-06-17 21:36:44 UTC 
This still affects current Fedora releases (only rawhide has 2.57b, the rest have the vulnerable 2.49b).
Comment 9 Sebastian Pipping 2011-06-17 23:02:12 UTC 
FYI to my best knowledge 2.57b is vulnerable, too.
Comment 10 Vincent Danen 2011-06-20 16:39:27 UTC 
Oh, I thought that it had been corrected upstream already, but perhaps I misunderstood or misread something.  Then we would need patches on all branches if that is indeed the case.
Comment 11 Sebastian Pipping 2011-06-20 19:41:03 UTC 
(In reply to comment #10)
> Oh, I thought that it had been corrected upstream already, but perhaps I
> misunderstood or misread something.

There has been related post-2.57 patches but upstream and I have been in disagreement on the goal to patch to.  The question is how much if users should be prevented to shoot themselves in the foot.


> Then we would need patches on all branches
> if that is indeed the case.

For now we have:
- 2.49b
- 2.57

Outstanding are:
- 2.57b

Anything else?  What's the complete list?
Comment 12 Vincent Danen 2011-06-21 17:03:04 UTC 
We don't have 2.57 unless it's in testing somewhere:

Fedora-13: http://koji.fedoraproject.org/packages/blender/2.49b/11.fc13
Fedora-14: http://koji.fedoraproject.org/packages/blender/2.49b/13.fc14
Fedora-15: http://koji.fedoraproject.org/packages/blender/2.49b/15.fc15
Fedora-Rawhide: http://koji.fedoraproject.org/packages/blender/2.57b/5.fc16
EPEL-5: http://koji.fedoraproject.org/packages/blender/2.49b/9.el5
Comment 13 Vincent Danen 2012-08-25 16:10:41 UTC 
This is fixed in Fedora now, but sadly it's not at all resolved in EPEL:

fedora:16/blender-2.59-5.fc16
fedora:17/blender-2.63a-2.fc17
fedora:epel:5/blender-2.49b-9.el5
fedora:epel:6/blender-2.49b-8.el6
Comment 14 Vincent Danen 2012-08-25 16:15:12 UTC 
Created blender tracking bugs for this issue

Affects: epel-all [bug 851773]