Your message dated Fri, 25 Apr 2008 21:32:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#477808: fixed in blender 2.45-5
has caused the Debian Bug report #477808,
regarding blender: CVE-2008-1102 arbitrary code execution via crafted .blend
file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
477808: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477808
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: blender
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for blender.
CVE-2008-1102[0]:
| Stack-based buffer overflow in the imb_loadhdr function in Blender
| 2.45 allows user-assisted remote attackers to execute arbitrary code
| via a .blend file that contains a crafted Radiance RGBE image.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1102
http://security-tracker.debian.net/tracker/CVE-2008-1102
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgphUJ0U9Sv6m.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: blender
Source-Version: 2.45-5
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.45-5.diff.gz
to pool/main/b/blender/blender_2.45-5.diff.gz
blender_2.45-5.dsc
to pool/main/b/blender/blender_2.45-5.dsc
blender_2.45-5_i386.deb
to pool/main/b/blender/blender_2.45-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <[EMAIL PROTECTED]> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 25 Apr 2008 22:50:31 +0200
Source: blender
Binary: blender
Architecture: source i386
Version: 2.45-5
Distribution: unstable
Urgency: high
Maintainer: Cyril Brulebois <[EMAIL PROTECTED]>
Changed-By: Cyril Brulebois <[EMAIL PROTECTED]>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 441216 463749 477761 477808
Changes:
blender (2.45-5) unstable; urgency=high
.
* debian/control:
- Adjust Maintainer and Uploaders according to last years' activity.
- Update my mail address. Many thanks to Florian Ernst who sponsored
all my uploads.
* Switch from python2.4 to python2.5 (Closes: #477761):
- Replace python2.4-dev with python2.5-dev in Build-Depends.
- Refresh the following patch to set BF_PYTHON_VERSION accordingly:
- 50_debian_build_config.
* Fix CVE-2008-1102: “Stack-based buffer overflow in the imb_loadhdr
function allows user-assisted remote attackers to execute arbitrary
code via a .blend file that contains a crafted Radiance RGBE image.”
Add upstream patch as pointed to by Tomas Hoger <[EMAIL PROTECTED]>
(thanks!), which basically adds a check on sscanf() return code and
limits the size of accepted %s parameters (Closes: #477808):
- 30_fix_CVE-2008-1102.
* Bump urgency to “high” accordingly.
* Disable the “-Wdeclaration-after-statement” C_WARN flag (which is only
valid for C/ObjC but not for C++) in config/linux2-config.py, by
updating the following patch:
- 50_debian_build_config.
* Use DEB_HOST_ARCH to determine whether the host architecture is
big-endian so as to pass an extra “-D__BIG_ENDIAN__” flag to the
compiler, thus fixing the buggy endianness detection (upstream lists
every platform, but misses at least hppa, mips, and s390). Thanks to
Stefan Gartner for the tip (Closes: #441216).
* Make scons understand what is wanted from it:
- Pass “-g” and “-O” options through CFLAGS.
- Pass “-D” options through CPPFLAGS.
* Add patch to make blender able to use the compatibility layer that
scons is setting up for its Option->Variable transition, initiated in
scons 0.98.2-1 (deprecation will follow, but Blender should be updated
upstream in the meanwhile), thanks to Mark Brown (see #477912):
- 40_workaround_scons_options_deprecation.
* Switch from ttf-bitstream-vera to ttf-dejavu (Closes: #463749), thanks
to Sven Arvidsson:
- debian/control: Update Depends.
- debian/rules: Update symlink.
Checksums-Sha1:
65c6c63b4fd52e5ba2ad94c3a5f9fc457bac1700 1349 blender_2.45-5.dsc
67d5edcae9bb8dfbd8cbf2fb552ce5d2af930c6a 27898 blender_2.45-5.diff.gz
08807fe398775c61f818b7827188275a06eb6c74 7356186 blender_2.45-5_i386.deb
Checksums-Sha256:
6c80c78bdc506bd314648bed06b60d710b02050e46abb3b490e891a47e028886 1349
blender_2.45-5.dsc
1faf4f564eb1a61360e656b09cf9052f1b226295625e464a06ece4c60b169946 27898
blender_2.45-5.diff.gz
f3f3cfb26b16064ae563274fe33bab427866b238b0d1fff784432dbf3d62ce94 7356186
blender_2.45-5_i386.deb
Files:
11e9908bbf67c791fb493381719df55e 1349 graphics optional blender_2.45-5.dsc
36459ddf53b4c12da5a1c1ba5ef4a2cd 27898 graphics optional blender_2.45-5.diff.gz
d8a27300fb559cdbf4c919ace56da31c 7356186 graphics optional
blender_2.45-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIEkx9eGfVPHR5Nd0RAj4xAJ0Q9iyO75e9FzEoRQtCKXSWe7A/7gCeJg6q
RY21ywxXt36BtIY37k2xk0g=
=w+MP
-----END PGP SIGNATURE-----
--- End Message ---
