Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to the following vulnerability: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850 http://www.securityfocus.com/archive/1/archive/1/507706/100/0/threaded http://www.coresecurity.com/content/blender-scripting-injection http://www.securityfocus.com/bid/36838 Upstream patch: --------------- Not available, see above thread, when searching for patch addressing the issue.
This issue affects the versions of the Blender package, as shipped with Fedora release of 10, 11 and as scheduled to appear in Fedora 12. This issue might potentially affect the version of the Blender package, as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project. Jochen, once the upstream patch is available, please schedule Fedora and EPEL Blender updates.
Please have a look at my report and patch proposal over at <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat security would be welcome.
(In reply to comment #3) Hello Sebastian, thank you for your work on this one and for your proposal. > Please have a look at my report and patch proposal over at > <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>. Review by Red Hat > security would be welcome. Have you tried to contact Blender upstream with your patch proposal? What was their feedback / opinion on this? Thank you, Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
(In reply to comment #4) > Have you tried to contact Blender upstream with your patch proposal? When asking for the developer mailing list in #blender it was proposed to go to #blendercoders. There I talked to Campbell Barton (the Python API maintainer). > What was their feedback / opinion on this? As I understood him, flipping the default to no-scripts-by-default has been discussed before and is not likely to happen in the official builds. He pointed me to this discussion <http://markmail.org/message/cu2xdhngcudl27cr>.
PS: I should mention what upstream did is they added a checkbox "Trusted source" to Blender 2.5x. With that checkbox unchecked embedded scripts are not executed. Here again the problem are the defaults: script execution enabled.
There is a separate bug with patch for Blender 2.57 now that you may also be interested in: <https://bugs.gentoo.org/show_bug.cgi?id=364291>. Review welcome as always.
This still affects current Fedora releases (only rawhide has 2.57b, the rest have the vulnerable 2.49b).
FYI to my best knowledge 2.57b is vulnerable, too.
Oh, I thought that it had been corrected upstream already, but perhaps I misunderstood or misread something. Then we would need patches on all branches if that is indeed the case.
(In reply to comment #10) > Oh, I thought that it had been corrected upstream already, but perhaps I > misunderstood or misread something. There has been related post-2.57 patches but upstream and I have been in disagreement on the goal to patch to. The question is how much if users should be prevented to shoot themselves in the foot. > Then we would need patches on all branches > if that is indeed the case. For now we have: - 2.49b - 2.57 Outstanding are: - 2.57b Anything else? What's the complete list?
We don't have 2.57 unless it's in testing somewhere: Fedora-13: http://koji.fedoraproject.org/packages/blender/2.49b/11.fc13 Fedora-14: http://koji.fedoraproject.org/packages/blender/2.49b/13.fc14 Fedora-15: http://koji.fedoraproject.org/packages/blender/2.49b/15.fc15 Fedora-Rawhide: http://koji.fedoraproject.org/packages/blender/2.57b/5.fc16 EPEL-5: http://koji.fedoraproject.org/packages/blender/2.49b/9.el5
This is fixed in Fedora now, but sadly it's not at all resolved in EPEL: fedora:16/blender-2.59-5.fc16 fedora:17/blender-2.63a-2.fc17 fedora:epel:5/blender-2.49b-9.el5 fedora:epel:6/blender-2.49b-8.el6
Created blender tracking bugs for this issue Affects: epel-all [bug 851773]