Bug 176632 - Blender 2.41 is out, CVE-2005-4470
Summary: Blender 2.41 is out, CVE-2005-4470
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: blender
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jochen Schmitt
QA Contact: Fedora Extras Quality Assurance
URL: http://www.blender.org/cms/Blender.31...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-12-28 01:57 UTC by Luya Tshimbalanga
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-22 18:14:20 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
blender debug using yafray-0.8 (2.79 KB, text/plain)
2006-01-31 04:51 UTC, Luya Tshimbalanga
no flags Details
blender backtrace (3.69 KB, text/plain)
2006-02-01 11:03 UTC, Luya Tshimbalanga
no flags Details

Description Luya Tshimbalanga 2005-12-28 01:57:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051216 Fedora/1.5-3 Firefox/1.5

Description of problem:
Can someone update Blender to 2.40 and include multilangual support as well

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  

Additional info:

Comment 1 Ville Skyttä 2006-01-08 09:57:03 UTC
Versions before 2.40 also have buffer overflow vulnerabilities:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4470


Comment 2 Jochen Schmitt 2006-01-24 17:18:28 UTC
Hello,

becouse I will be the new maintainer of blender, I have create a package for
version 2.40.

Best Regards:

Jochen Schmitt

Comment 3 Luya Tshimbalanga 2006-01-24 23:11:11 UTC
I noticed that version is out for Fedora Core 4 and will be available in
development. There is an odd issue related with the use of yafray,org (website
is currently down).
 Shall we close thise bug report?


Comment 4 Luya Tshimbalanga 2006-01-26 03:16:21 UTC
blender 2.41 is just released.
http://www.blender3d.org/cms/Blender_2_41.731.0.html

Comment 5 Jochen Schmitt 2006-01-29 20:02:32 UTC
Hello,

I'm build 2.41 noew. Can you tell me more about your odd issue related withe the
use of yafray.org.

Perhaps, I may able to reproduced your issue.

Best Regards:

Jochen Schmitt

Comment 6 Luya Tshimbalanga 2006-01-30 00:36:02 UTC
yafray.org issues happened when rendering a complex object with more effects.
When rendering a simple cube with a spot light, there is no problem. However,
when I added effects such as ray-tracing, transparencies and more with 
yafray engine, Blender will crash. I think the problem is with 
the additional sources from the spec file.
 I have no problem rendering yafray on other OS like Windows XP.

Comment 7 Luya Tshimbalanga 2006-01-31 04:51:40 UTC
Created attachment 123896 [details]
blender debug using yafray-0.8

Reproduction of problem of rendering using yafray.
yafray.org. Perhpas someone should contact the author
about that issue on Fedora.

Comment 8 Jochen Schmitt 2006-01-31 17:02:30 UTC
Can you create a backtrace for the test from attachment #123896 [details]. I think in the
backtrace you may determinate the source of the failure.

AFAIK yafray is a seperate plugin for blender, so from my point of view it's
important to know which package is responsible for the failure.

Best Regards:

Jochen Schmitt 

Comment 9 Jochen Schmitt 2006-01-31 18:00:24 UTC
Becouse yafray is a seperate package, I have create a RPM for Fedora Extras and
uploaded it to:

http://www.herr-schmitt.de/pub/yafray/

It will be nice, if you may download this package and test it. Aspecialy, it may
be nice, if you can test your complaint issue.

Best Regards:

Jochen Schmitt

Comment 10 Luya Tshimbalanga 2006-02-01 11:03:24 UTC
Created attachment 123953 [details]
blender backtrace

Here is the backtrace using the original yafray package.

Comment 11 Luya Tshimbalanga 2006-02-01 11:18:14 UTC
Apparently the problem can be reproduced by setting z transparency,
disable xml in Yafray rendering, set YafrayGI with Full method and any quality.

Comment 12 Michael Schwendt 2006-02-01 12:08:28 UTC
> (no debugging symbols found)

Not helpful. Please take a look at http://fedoraproject.org/wiki/StackTraces
enable the "debug" repository and install the missing -debuginfo packages.
For packages you rpmbuild manually, you should install these -debuginfo
packages, too.

Comment 13 Luya Tshimbalanga 2006-02-01 22:42:22 UTC
Comment on attachment 123953 [details]
blender backtrace

$ gdb blender
GNU gdb Red Hat Linux (6.3.0.0-1.98rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run
Starting program: /usr/bin/blender
Reading symbols from shared object read from target memory...(no debugging
symbols found)...done.
Loaded system supplied DSO at 0xd6b000
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1209009984 (LWP 22535)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
---Type <return> to continue, or q <return> to quit---
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Using Python version 2.4
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Starting scene conversion.
Scene conversion done.
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
Loading plugins ...
YafRay plugin loaded
Image initialized
Zbuffer initialized
[Warning]: Unknown shader type blendershader
[Error]: undefined shader MAMaterial object ignored
[WARNING]:Unused param cast_shadows in light
[WARNING]:Unused param color in light
[WARNING]:Unused param from in light
[WARNING]:Unused param glow_intensity in light
[WARNING]:Unused param glow_offset in light
[WARNING]:Unused param glow_type in light
[WARNING]:Unused param power in light
[WARNING]:Unused param caus_depth in light
[WARNING]:Unused param depth in light
[WARNING]:Unused param power in light
[WARNING]:Unused param samples in light
[Warning]: Wrong type for background constant
[Loader]: Added camera MAINCAM
Using a world resolution of 0.00114286 per unit
Rendering with 5 raydepth
2 anti-alias passes and 4 minimum samples per pass, 8 samples total.
[Warning]: Background world_background does not exist
Building bounding tree ... OK
Light setup ...
Setting up lights ...
Finished setting up lights

Launching 1 threads

Render pass: [*** glibc detected *** /usr/bin/blender: munmap_chunk(): invalid
pointer: 0x0a58d088 ***
======= Backtrace: =========
/lib/libc.so.6(__libc_free+0x17b)[0x20ff4f]
/usr/lib/libstdc++.so.6(_ZdlPv+0x21)[0x3547c09]
/usr/bin/blender(_ZNSt6vectorIfSaIfEE14_M_fill_insertEN9__gnu_cxx17__normal_ite
ratorIPfS1_EEjRKf+0xc8)[0x8365cb8]
/usr/lib/libyafraycore.so(_ZN6yafray14blockSpliter_t7getAreaERNS_12renderArea_t
E+0x199)[0x467f61]
======= Memory map: ========
00111000-00137000 r-xp 00000000 fd:00 1511789	 /usr/lib/libyafrayplugin.so
00137000-00138000 rwxp 00026000 fd:00 1511789	 /usr/lib/libyafrayplugin.so
00185000-00187000 r-xp 00000000 fd:00 1509716	 /usr/lib/libXau.so.6.0.0
00187000-00188000 rwxp 00001000 fd:00 1509716	 /usr/lib/libXau.so.6.0.0
0018c000-001a5000 r-xp 00000000 fd:00 720904	 /lib/ld-2.3.90.so
001a5000-001a6000 r-xp 00018000 fd:00 720904	 /lib/ld-2.3.90.so
001a6000-001a7000 rwxp 00019000 fd:00 720904	 /lib/ld-2.3.90.so
001a9000-002ca000 r-xp 00000000 fd:00 720922	 /lib/libc-2.3.90.so
002ca000-002cc000 r-xp 00121000 fd:00 720922	 /lib/libc-2.3.90.so
002cc000-002cd000 rwxp 00123000 fd:00 720922	 /lib/libc-2.3.90.so
002cd000-002d0000 rwxp 002cd000 00:00 0
002d2000-002f5000 r-xp 00000000 fd:00 720952	 /lib/libm-2.3.90.so
002f5000-002f6000 r-xp 00022000 fd:00 720952	 /lib/libm-2.3.90.so
002f6000-002f7000 rwxp 00023000 fd:00 720952	 /lib/libm-2.3.90.so
002f9000-002fb000 r-xp 00000000 fd:00 720930	 /lib/libdl-2.3.90.so
002fb000-002fc000 r-xp 00001000 fd:00 720930	 /lib/libdl-2.3.90.so
002fc000-002fd000 rwxp 00002000 fd:00 720930	 /lib/libdl-2.3.90.so
002ff000-00311000 r-xp 00000000 fd:00 1527459	 /usr/lib/libz.so.1.2.3
00311000-00312000 rwxp 00011000 fd:00 1527459	 /usr/lib/libz.so.1.2.3
00314000-00319000 r-xp 00000000 fd:00 1511266	 /usr/lib/libXdmcp.so.6.0.0
00319000-0031a000 rwxp 00004000 fd:00 1511266	 /usr/lib/libXdmcp.so.6.0.0
0031c000-00410000 r-xp 00000000 fd:00 1513730	 /usr/lib/libX11.so.6.2.0
00410000-00414000 rwxp 000f4000 fd:00 1513730	 /usr/lib/libX11.so.6.2.0
0042c000-00431000 r-xp 00000000 fd:00 1521940	 /usr/lib/libartsc.so.0.0.0
00431000-00432000 rwxp 00004000 fd:00 1521940	 /usr/lib/libartsc.so.0.0.0
00434000-00437000 r-xp 00000000 fd:00 1520199	
/usr/lib/libgmodule-2.0.so.0.902.3
00437000-00438000 rwxp 00002000 fd:00 1520199	
/usr/lib/libgmodule-2.0.so.0.902.3
00438000-0049a000 r-xp 00000000 fd:00 1512487	 /usr/lib/libyafraycore.so
0049a000-004a1000 rwxp 00061000 fd:00 1512487	 /usr/lib/libyafraycore.so
004a1000-004a2000 rwxp 004a1000 00:00 0
004a8000-004ad000 r-xp 00000000 fd:00 1520434	 /usr/lib/libogg.so.0.5.3
004ad000-004ae000 rwxp 00004000 fd:00 1520434	 /usr/lib/libogg.so.0.5.3
004f2000-004f6000 r-xp 00000000 fd:00 1523848	 /usr/lib/libXfixes.so.3.0.0
004f6000-004f7000 rwxp 00003000 fd:00 1523848	 /usr/lib/libXfixes.so.3.0.0
004fc000-0050a000 r-xp 00000000 fd:00 721058	 /lib/libpthread-2.3.90.so
0050a000-0050b000 r-xp 0000d000 fd:00 721058	 /lib/libpthread-2.3.90.so
0050b000-0050c000 rwxp 0000e000 fd:00 721058	 /lib/libpthread-2.3.90.so
0050c000-0050e000 rwxp 0050c000 00:00 0
00532000-00598000 r-xp 00000000 fd:00 1527461	 /usr/lib/libfreetype.so.6.3.8
00598000-0059b000 rwxp 00066000 fd:00 1527461	 /usr/lib/libfreetype.so.6.3.8
005a3000-005c8000 r-xp 00000000 fd:00 1527460	 /usr/lib/libpng12.so.0.1.2.8
005c8000-005c9000 rwxp 00025000 fd:00 1527460	 /usr/lib/libpng12.so.0.1.2.8
00615000-0061c000 r-xp 00000000 fd:00 1520441	
/usr/lib/libvorbisfile.so.3.1.10061c000-0061d000 rwxp 00006000 fd:00 1520441   
/usr/lib/libvorbisfile.so.3.1.100621000-00628000 r-xp 00000000 fd:00 1518128   
/usr/lib/libdrm.so.2.0.0
00628000-00629000 rwxp 00006000 fd:00 1518128	 /usr/lib/libdrm.so.2.0.0
0062c000-00635000 r-xp 00000000 fd:00 1523852	 /usr/lib/libXcursor.so.1.0.2
00635000-00636000 rwxp 00008000 fd:00 1523852	 /usr/lib/libXcursor.so.1.0.2
00636000-006bb000 r-xp 00000000 fd:00 1511814	 /usr/lib/libIlmImf.so.2.0.2
006bb000-006be000 rwxp 00084000 fd:00 1511814	 /usr/lib/libIlmImf.so.2.0.2
00773000-0078f000 r-xp 00000000 fd:00 1520435	 /us
Program received signal SIGABRT, Aborted.
[Switching to Thread -1209009984 (LWP 22535)]
---Type <return> to continue, or q <return> to quit---
0x00d6b402 in __kernel_vsyscall ()
(gdb) thread apply all bt

Thread 1 (Thread -1209009984 (LWP 22535)):
#0  0x00d6b402 in __kernel_vsyscall ()
#1  0x001d1079 in raise () from /lib/libc.so.6
#2  0x001d2613 in abort () from /lib/libc.so.6
#3  0x0020557b in __libc_message () from /lib/libc.so.6
#4  0x0020ff4f in free () from /lib/libc.so.6
#5  0x03547c09 in operator delete () from /usr/lib/libstdc++.so.6
#6  0x08365cb8 in std::vector<float, std::allocator<float> >::_M_fill_insert ()
#7  0x00467f61 in yafray::blockSpliter_t::getArea ()
   from /usr/lib/libyafraycore.so
#8  0x00472b3c in yafray::threadedscene_t::render ()
   from /usr/lib/libyafraycore.so
#9  0x001200bd in yafray::interfaceImpl_t::render ()
   from /usr/lib/libyafrayplugin.so
#10 0x0829e5e0 in yafrayPluginRender_t::writeRender ()
#11 0x082805e3 in yafrayRender_t::exportScene ()
#12 0x0827dc19 in YAF_exportScene ()
#13 0x082566b9 in render ()
#14 0x08258a9b in RE_initrender ()
#15 0x081955a1 in BIF_toggle_render_display ()
#16 0x08195688 in BIF_do_render ()
#17 0x081a8de8 in scrarea_do_winhandle ()
---Type <return> to continue, or q <return> to quit---
#18 0x0813941d in screenmain ()
#19 0x0810d8b2 in main ()
(gdb)

Comment 14 Luya Tshimbalanga 2006-02-08 07:47:39 UTC
Just updated blender. I report the same problem using yafray (including your
built) listed on comment #13

Comment 15 Jochen Schmitt 2006-02-08 17:28:05 UTC
I have looked on www.yafray.org.

At the bug tracker I have found Bug #2828 where a issue was reported which
sounds like the issue discussed in this bug.

After I have read a tutorial about yafray, I was able to test the yafray
integration on my machine. I was able to call the yafray rendering engine. 

Unfortunately, I have got a blank scrennt but not a crash.

Best Regards:

Jocheh Schmitt

Comment 16 Luya Tshimbalanga 2006-02-08 17:57:58 UTC
Blank screen means you have XML enabled on Yafray tab. Disable it. On Yafray GI,
set Method to Full and choose any Qualtiy scene (for example Low). Voila,
Blender will exit.

Comment 17 Jochen Schmitt 2006-02-09 15:36:22 UTC
I have toggle the XML-Button. The result is, that I will get a blank screen but
not a crash.

Best Regards:

Jochen Schmitt

Comment 18 Dennis Gilmore 2006-02-22 04:20:53 UTC
this bug should be closed  the initial report is resolved.  the second issue 
should be its own bug.  this makes searching easier. 

Comment 19 Jochen Schmitt 2006-02-22 18:14:20 UTC
OK. But now yafray is not a package in Fedora Extras.

Comment 20 Jochen Schmitt 2006-02-22 18:20:10 UTC
I have created #182460 which points to this bug for futher information.


Note You need to log in before you can comment on or make changes to this bug.