Red Hat Bugzilla – Bug 533395
CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
Last modified: 2012-08-25 12:15:12 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to
the following vulnerability:
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to
execute arbitrary code via a .blend file that contains Python
statements in the onLoad action of a ScriptLink SDNA.
Not available, see above thread, when searching
for patch addressing the issue.
This issue affects the versions of the Blender package, as shipped with
Fedora release of 10, 11 and as scheduled to appear in Fedora 12.
This issue might potentially affect the version of the Blender package,
as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project.
Jochen, once the upstream patch is available, please schedule Fedora
and EPEL Blender updates.
Please have a look at my report and patch proposal over at <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat security would be welcome.
(In reply to comment #3)
thank you for your work on this one and for your proposal.
> Please have a look at my report and patch proposal over at
> <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat
> security would be welcome.
Have you tried to contact Blender upstream with your patch proposal?
What was their feedback / opinion on this?
Thank you, Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
(In reply to comment #4)
> Have you tried to contact Blender upstream with your patch proposal?
When asking for the developer mailing list in #blender it was proposed to go to #blendercoders. There I talked to Campbell Barton (the Python API maintainer).
> What was their feedback / opinion on this?
As I understood him, flipping the default to no-scripts-by-default has been discussed before and is not likely to happen in the official builds.
He pointed me to this discussion <http://markmail.org/message/cu2xdhngcudl27cr>.
PS: I should mention what upstream did is they added a checkbox "Trusted source" to Blender 2.5x. With that checkbox unchecked embedded scripts are not executed. Here again the problem are the defaults: script execution enabled.
There is a separate bug with patch for Blender 2.57 now that you may also be interested in: <https://bugs.gentoo.org/show_bug.cgi?id=364291>. Review welcome as always.
This still affects current Fedora releases (only rawhide has 2.57b, the rest have the vulnerable 2.49b).
FYI to my best knowledge 2.57b is vulnerable, too.
Oh, I thought that it had been corrected upstream already, but perhaps I misunderstood or misread something. Then we would need patches on all branches if that is indeed the case.
(In reply to comment #10)
> Oh, I thought that it had been corrected upstream already, but perhaps I
> misunderstood or misread something.
There has been related post-2.57 patches but upstream and I have been in disagreement on the goal to patch to. The question is how much if users should be prevented to shoot themselves in the foot.
> Then we would need patches on all branches
> if that is indeed the case.
For now we have:
Anything else? What's the complete list?
We don't have 2.57 unless it's in testing somewhere:
This is fixed in Fedora now, but sadly it's not at all resolved in EPEL:
Created blender tracking bugs for this issue
Affects: epel-all [bug 851773]