Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||jochen, sebastian, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||851773, 541997|
Description Jan Lieskovsky 2009-11-06 10:45:11 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to the following vulnerability: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850 http://www.securityfocus.com/archive/1/archive/1/507706/100/0/threaded http://www.coresecurity.com/content/blender-scripting-injection http://www.securityfocus.com/bid/36838 Upstream patch: --------------- Not available, see above thread, when searching for patch addressing the issue.
Comment 1 Jan Lieskovsky 2009-11-06 10:50:57 EST
This issue affects the versions of the Blender package, as shipped with Fedora release of 10, 11 and as scheduled to appear in Fedora 12. This issue might potentially affect the version of the Blender package, as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project. Jochen, once the upstream patch is available, please schedule Fedora and EPEL Blender updates.
Comment 3 Sebastian Pipping 2011-04-20 15:31:25 EDT
Please have a look at my report and patch proposal over at <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat security would be welcome.
Comment 4 Jan Lieskovsky 2011-04-21 05:55:11 EDT
(In reply to comment #3) Hello Sebastian, thank you for your work on this one and for your proposal. > Please have a look at my report and patch proposal over at > <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat > security would be welcome. Have you tried to contact Blender upstream with your patch proposal? What was their feedback / opinion on this? Thank you, Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 5 Sebastian Pipping 2011-04-21 06:48:40 EDT
(In reply to comment #4) > Have you tried to contact Blender upstream with your patch proposal? When asking for the developer mailing list in #blender it was proposed to go to #blendercoders. There I talked to Campbell Barton (the Python API maintainer). > What was their feedback / opinion on this? As I understood him, flipping the default to no-scripts-by-default has been discussed before and is not likely to happen in the official builds. He pointed me to this discussion <http://markmail.org/message/cu2xdhngcudl27cr>.
Comment 6 Sebastian Pipping 2011-04-21 06:53:54 EDT
PS: I should mention what upstream did is they added a checkbox "Trusted source" to Blender 2.5x. With that checkbox unchecked embedded scripts are not executed. Here again the problem are the defaults: script execution enabled.
Comment 7 Sebastian Pipping 2011-04-24 14:02:53 EDT
There is a separate bug with patch for Blender 2.57 now that you may also be interested in: <https://bugs.gentoo.org/show_bug.cgi?id=364291>. Review welcome as always.
Comment 8 Vincent Danen 2011-06-17 17:36:44 EDT
This still affects current Fedora releases (only rawhide has 2.57b, the rest have the vulnerable 2.49b).
Comment 9 Sebastian Pipping 2011-06-17 19:02:12 EDT
FYI to my best knowledge 2.57b is vulnerable, too.
Comment 10 Vincent Danen 2011-06-20 12:39:27 EDT
Oh, I thought that it had been corrected upstream already, but perhaps I misunderstood or misread something. Then we would need patches on all branches if that is indeed the case.
Comment 11 Sebastian Pipping 2011-06-20 15:41:03 EDT
(In reply to comment #10) > Oh, I thought that it had been corrected upstream already, but perhaps I > misunderstood or misread something. There has been related post-2.57 patches but upstream and I have been in disagreement on the goal to patch to. The question is how much if users should be prevented to shoot themselves in the foot. > Then we would need patches on all branches > if that is indeed the case. For now we have: - 2.49b - 2.57 Outstanding are: - 2.57b Anything else? What's the complete list?
Comment 12 Vincent Danen 2011-06-21 13:03:04 EDT
We don't have 2.57 unless it's in testing somewhere: Fedora-13: http://koji.fedoraproject.org/packages/blender/2.49b/11.fc13 Fedora-14: http://koji.fedoraproject.org/packages/blender/2.49b/13.fc14 Fedora-15: http://koji.fedoraproject.org/packages/blender/2.49b/15.fc15 Fedora-Rawhide: http://koji.fedoraproject.org/packages/blender/2.57b/5.fc16 EPEL-5: http://koji.fedoraproject.org/packages/blender/2.49b/9.el5
Comment 13 Vincent Danen 2012-08-25 12:10:41 EDT
This is fixed in Fedora now, but sadly it's not at all resolved in EPEL: fedora:16/blender-2.59-5.fc16 fedora:17/blender-2.63a-2.fc17 fedora:epel:5/blender-2.49b-9.el5 fedora:epel:6/blender-2.49b-8.el6