Bug#503632: marked as done (blender: Python scripts load modules from current directory)

Debian Bug Tracking System Sun, 26 Oct 2008 23:55:41 -0700

Your message dated Mon, 27 Oct 2008 06:32:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503632: fixed in blender 2.46+dfsg-5
has caused the Debian Bug report #503632,
regarding blender: Python scripts load modules from current directory
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
503632: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: blender
Version: 2.46+dfsg-4
Severity: grave
Tags: security
Justification: user security hole
Usertags: pythonpath

Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages blender depends on:
ii  gettext [libgettextpo0 0.17-4            GNU Internationalization utilities
pn  libalut0               <none>            (no description available)
pn  libavcodec51 | libavco <none>            (no description available)
pn  libavformat52 | libavf <none>            (no description available)
pn  libavutil49 | libavuti <none>            (no description available)
ii  libc6                  2.7-15            GNU C Library: Shared libraries
pn  libdc1394-22           <none>            (no description available)
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
pn  libftgl2               <none>            (no description available)
ii  libgcc1                1:4.3.2-1         GCC support library
ii  libgl1-mesa-glx [libgl 7.0.3-6           A free implementation of the OpenG
ii  libglu1-mesa [libglu1] 7.0.3-6           The OpenGL utility library (GLU)
pn  libgsm1                <none>            (no description available)
ii  libilmbase6            1.0.1-2+nmu2      several utility libraries from ILM
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libogg0                1.1.3-4           Ogg Bitstream Library
pn  libopenal1             <none>            (no description available)
ii  libopenexr6            1.6.1-3           runtime files for the OpenEXR imag
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libraw1394-8           1.3.0-4           library for direct access to IEEE 
pn  libsdl1.2debian        <none>            (no description available)
ii  libstdc++6             4.3.2-1           The GNU Standard C++ Library v3
pn  libswscale0 | libswsca <none>            (no description available)
ii  libtheora0             1.0~beta3-1       The Theora Video Compression Codec
ii  libvorbis0a            1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libvorbisenc2          1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxi6                 2:1.1.3-1         X11 Input extension library
ii  python                 2.5.2-2           An interactive high-level object-o
ii  python-support         0.8.6             automated rebuilding support for P
ii  python2.5              2.5.2-11.1        An interactive high-level object-o
ii  ttf-dejavu             2.25-3            Metapackage to pull in ttf-dejavu-
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

blender recommends no packages.

Versions of packages blender suggests:
ii  libtiff4                      3.8.2-11   Tag Image File Format (TIFF) libra
pn  yafray                        <none>     (no description available)

--- End Message ---

--- Begin Message ---

Source: blender
Source-Version: 2.46+dfsg-5

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.46+dfsg-5.diff.gz
  to pool/main/b/blender/blender_2.46+dfsg-5.diff.gz
blender_2.46+dfsg-5.dsc
  to pool/main/b/blender/blender_2.46+dfsg-5.dsc
blender_2.46+dfsg-5_amd64.deb
  to pool/main/b/blender/blender_2.46+dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <[EMAIL PROTECTED]> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 27 Oct 2008 06:44:20 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.46+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Cyril Brulebois <[EMAIL PROTECTED]>
Changed-By: Cyril Brulebois <[EMAIL PROTECTED]>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes: 
 blender (2.46+dfsg-5) unstable; urgency=high
 .
   * Include patch by James Vega (thanks!) to fix security bug: Blender's
     BPY_interface was calling PySys_SetArgv so that sys.path was prepended
     with an empty string, resulting in possible arbitrary code execution,
     when the working directory contains a file named like one that
     Blender's python scripts try to import (Closes: #503632). That patch
     removes empty elements from sys.path:
      - debian/patches/01_sanitize_sys.path
   * Urgency set to “high” accordingly.
Checksums-Sha1: 
 74e9f994361ab5c73145a26fa0cf54384de71d76 1501 blender_2.46+dfsg-5.dsc
 bacba55594836883fe92f3d7a94cebe8977e495c 29665 blender_2.46+dfsg-5.diff.gz
 68e935dc9ace11fd146a8e163684b5804b0595d6 8799234 blender_2.46+dfsg-5_amd64.deb
Checksums-Sha256: 
 afe335f5837a3aa5b3289f1220f52eb9030896a5c15ffef1dc4564f5ab4c14dd 1501 
blender_2.46+dfsg-5.dsc
 edb85122f70babf146ce12f46367d302a3be944646318a5a4cb0978ea8e6fef0 29665 
blender_2.46+dfsg-5.diff.gz
 649f0df0faddedf8ef6d7b0b7e3fe9106d9a8278f98ce562b5fa6ca684d84006 8799234 
blender_2.46+dfsg-5_amd64.deb
Files: 
 a7be7f9e1145aedd801e10e057fc26e8 1501 graphics optional blender_2.46+dfsg-5.dsc
 60e32816f4e1554fe3b21b440c563375 29665 graphics optional 
blender_2.46+dfsg-5.diff.gz
 8b5ef125cf2572d7feccd81e25549437 8799234 graphics optional 
blender_2.46+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkFXR0ACgkQeGfVPHR5Nd2iXQCfTZH8oyuRmtM5GEQf08Di7AI6
A1MAoLsZpKHRntLLz44aRaW4FNWJVDdV
=OrUw
-----END PGP SIGNATURE-----

--- End Message ---

Bug#503632: marked as done (blender: Python scripts load modules from current directory)

Reply via email to