Bug 469655 (CVE-2008-4863) - CVE-2008-4863 blender: untrusted python modules search path
Summary: CVE-2008-4863 blender: untrusted python modules search path
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-4863
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-03 09:27 UTC by Tomas Hoger
Modified: 2019-09-29 12:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-03 07:30:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2008-11-03 09:27:52 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4863 to the following vulnerability:

Untrusted search path vulnerability in BPY_interface in Blender 2.46
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to an erroneous setting
of sys.path by the PySys_SetArgv function.

References:
http://www.openwall.com/lists/oss-security/2008/10/27/1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632
Comment 1 Tomas Hoger 2008-11-03 09:29:40 UTC 
Proposed patch that sanitizes sys.path before loading modules is attached in the Debian bug report:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632#10
Comment 2 Fedora Update System 2008-11-03 17:27:15 UTC 
blender-2.48a-4.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc9
Comment 3 Fedora Update System 2008-11-03 17:45:27 UTC 
blender-2.48a-4.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc8
Comment 4 Fedora Update System 2008-11-12 02:54:22 UTC 
blender-2.48a-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-11-12 03:01:26 UTC 
blender-2.48a-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Chris Schanzle 2008-11-12 15:22:07 UTC 
Could the EPEL 5 version be updated also?  It's version is blender-2.45-13.el5.  Much appreciated!  [Sorry if this is not the appropriate place to request.]
Comment 7 Jochen Schmitt 2008-11-13 16:28:53 UTC 
Should be fixed in blender-2.45a-14.el5
Comment 8 Chris Schanzle 2008-11-20 16:44:40 UTC 
When is blender-2.45a-14.el5 expected in EPEL?  (don't mean to be a nag, just curious)
Comment 9 Jochen Schmitt 2008-11-20 17:44:20 UTC 
Sorry, It should be blender-2.45-14.el5. I have checked for existance of the package in the testing part of the EL-5 repository.
Comment 10 Tomas Hoger 2008-11-26 09:07:07 UTC 
blender-2.48a-4.fc10 did not make it to F10 before freeze, so will need to be submitted as update via bodhi.
Comment 11 Fedora Update System 2008-11-26 15:10:29 UTC 
blender-2.48a-4.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/blender-2.48a-4.fc10
Comment 12 Fedora Update System 2008-12-03 01:30:34 UTC 
blender-2.48a-4.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Red Hat Product Security 2008-12-03 07:30:04 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10448
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9411
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9447
Note You need to log in before you can comment on or make changes to this bug.