Red Hat Bugzilla – Bug 469655
CVE-2008-4863 blender: untrusted python modules search path
Last modified: 2008-12-03 02:30:04 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-4863 to the following vulnerability:
Untrusted search path vulnerability in BPY_interface in Blender 2.46
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to an erroneous setting
of sys.path by the PySys_SetArgv function.
Proposed patch that sanitizes sys.path before loading modules is attached in the Debian bug report:
blender-2.48a-4.fc9 has been submitted as an update for Fedora 9.
blender-2.48a-4.fc8 has been submitted as an update for Fedora 8.
blender-2.48a-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.48a-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Could the EPEL 5 version be updated also? It's version is blender-2.45-13.el5. Much appreciated! [Sorry if this is not the appropriate place to request.]
Should be fixed in blender-2.45a-14.el5
When is blender-2.45a-14.el5 expected in EPEL? (don't mean to be a nag, just curious)
Sorry, It should be blender-2.45-14.el5. I have checked for existance of the package in the testing part of the EL-5 repository.
blender-2.48a-4.fc10 did not make it to F10 before freeze, so will need to be submitted as update via bodhi.
blender-2.48a-4.fc10 has been submitted as an update for Fedora 10.
blender-2.48a-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: