Bug 533395 (CVE-2009-3850) - CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
Summary: CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2009-3850
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.coresecurity.com/content/b...
Whiteboard:
Depends On: 541997 851773
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-06 15:45 UTC by Jan Lieskovsky
Modified: 2021-10-20 10:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-29 07:01:21 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-11-06 15:45:11 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to
the following vulnerability:

Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to
execute arbitrary code via a .blend file that contains Python
statements in the onLoad action of a ScriptLink SDNA.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://www.securityfocus.com/archive/1/archive/1/507706/100/0/threaded
http://www.coresecurity.com/content/blender-scripting-injection
http://www.securityfocus.com/bid/36838

Upstream patch:
---------------
Not available, see above thread, when searching
for patch addressing the issue.

Comment 1 Jan Lieskovsky 2009-11-06 15:50:57 UTC
This issue affects the versions of the Blender package, as shipped with
Fedora release of 10, 11 and as scheduled to appear in Fedora 12.

This issue might potentially affect the version of the Blender package,
as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project.

Jochen, once the upstream patch is available, please schedule Fedora
and EPEL Blender updates.

Comment 3 Sebastian Pipping 2011-04-20 19:31:25 UTC
Please have a look at my report and patch proposal over at <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>.  Review by Red Hat security would be welcome.

Comment 4 Jan Lieskovsky 2011-04-21 09:55:11 UTC
(In reply to comment #3)

Hello Sebastian,

  thank you for your work on this one and for your proposal.

> Please have a look at my report and patch proposal over at
> <https://bugs.gentoo.org/show_bug.cgi?id=293130#c5>.  Review by Red Hat
> security would be welcome.

Have you tried to contact Blender upstream with your patch proposal?
What was their feedback / opinion on this?

Thank you, Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 5 Sebastian Pipping 2011-04-21 10:48:40 UTC
(In reply to comment #4)
> Have you tried to contact Blender upstream with your patch proposal?

When asking for the developer mailing list in #blender it was proposed to go to #blendercoders.  There I talked to Campbell Barton (the Python API maintainer).


> What was their feedback / opinion on this?

As I understood him, flipping the default to no-scripts-by-default has been discussed before and is not likely to happen in the official builds.
He pointed me to this discussion <http://markmail.org/message/cu2xdhngcudl27cr>.

Comment 6 Sebastian Pipping 2011-04-21 10:53:54 UTC
PS: I should mention what upstream did is they added a checkbox "Trusted source" to Blender 2.5x.  With that checkbox unchecked embedded scripts are not executed.  Here again the problem are the defaults: script execution enabled.

Comment 7 Sebastian Pipping 2011-04-24 18:02:53 UTC
There is a separate bug with patch for Blender 2.57 now that you may also be interested in: <https://bugs.gentoo.org/show_bug.cgi?id=364291>. Review welcome as always.

Comment 8 Vincent Danen 2011-06-17 21:36:44 UTC
This still affects current Fedora releases (only rawhide has 2.57b, the rest have the vulnerable 2.49b).

Comment 9 Sebastian Pipping 2011-06-17 23:02:12 UTC
FYI to my best knowledge 2.57b is vulnerable, too.

Comment 10 Vincent Danen 2011-06-20 16:39:27 UTC
Oh, I thought that it had been corrected upstream already, but perhaps I misunderstood or misread something.  Then we would need patches on all branches if that is indeed the case.

Comment 11 Sebastian Pipping 2011-06-20 19:41:03 UTC
(In reply to comment #10)
> Oh, I thought that it had been corrected upstream already, but perhaps I
> misunderstood or misread something.

There has been related post-2.57 patches but upstream and I have been in disagreement on the goal to patch to.  The question is how much if users should be prevented to shoot themselves in the foot.


> Then we would need patches on all branches
> if that is indeed the case.

For now we have:
- 2.49b
- 2.57

Outstanding are:
- 2.57b

Anything else?  What's the complete list?

Comment 13 Vincent Danen 2012-08-25 16:10:41 UTC
This is fixed in Fedora now, but sadly it's not at all resolved in EPEL:

fedora:16/blender-2.59-5.fc16
fedora:17/blender-2.63a-2.fc17
fedora:epel:5/blender-2.49b-9.el5
fedora:epel:6/blender-2.49b-8.el6

Comment 14 Vincent Danen 2012-08-25 16:15:12 UTC
Created blender tracking bugs for this issue

Affects: epel-all [bug 851773]


Note You need to log in before you can comment on or make changes to this bug.