On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote: > The bvh_import.py script supplied with the current Debian Stable and (I > think) unstable versions of Blender is vulnerable to arbitrary code > execution.
oldstable (2.23-0.1) isn't affected as it shipped a version of blender that didn't include this script yet (and was non-free anyway). stable (2.36-1) is affected, I've attached a naive patch to remove all 'eval's in the script, which in fact basically is what upstream did. Please see <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> for upstream details. testing isn't affected anymore as blender has been removed from testing due to general bugginess. unstable (2.36-1 on alpha mips mipsel, 2.37a-1 on all other archs) is partially affected: while 2.37a includes the upstream fix for this problem this version hasn't been built on all archs due to bug#333958. HTH, Flo
diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,14 @@ +blender (2.36-1sarge1) stable-security; urgency=high + + * patch release/scripts/bvh_import.py to use float instead of eval, + thus preventing arbitrary code execution when importing a .bvh file; + this fix differs from the changes in + <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> + in that it doesn't provide the new checks introduced therein; + for reference, this is CVE-2005-3302 - closes: #330895 + + -- Florian Ernst <[EMAIL PROTECTED]> Tue, 1 Nov 2005 17:41:53 +0100 + blender (2.36-1) unstable; urgency=high * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/release/scripts/bvh_import.py +++ blender-2.36/release/scripts/bvh_import.py @@ -331,7 +331,7 @@ name = lines[lineIdx][1] lineIdx += 2 # Incriment to the next line (Offset) - offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) + offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) lineIdx += 1 # Incriment to the next line (Channels) # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation, Zrotation] @@ -367,7 +367,7 @@ # Account for an end node if lines[lineIdx][0] == 'End' and lines[lineIdx][1] == 'Site': # There is somtimes a name afetr 'End Site' but we will ignore it. lineIdx += 2 # Incriment to the next line (Offset) - offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) + offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) makeEnd(parent, prefix, offset) # Just so we can remove the Parents in a uniform way- End end never has kids @@ -431,14 +431,14 @@ if debug: Blender.Redraw() while obIdx < len(objectList) -1: if channelList[obIdx][0] != -1: - objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) + objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][0]]))) if channelList[obIdx][1] != -1: - objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) + objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][1]]))) if channelList[obIdx][2] != -1: - objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) + objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][2]]))) if channelList[obIdx][3] != '-1' or channelList[obIdx][4] != '-1' or channelList[obIdx][5] != '-1': - x, y, z = eulerRotate(eval(lines[lineIdx][channelList[obIdx][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][channelList[obIdx][5]])) + x, y, z = eulerRotate(float(lines[lineIdx][channelList[obIdx][3]]), float(lines[lineIdx][channelList[obIdx][4]]), float(lines[lineIdx][channelList[obIdx][5]])) objectList[obIdx].getIpo().getCurve('RotX').addBezier((currentFrame, x)) objectList[obIdx].getIpo().getCurve('RotY').addBezier((currentFrame, y)) objectList[obIdx].getIpo().getCurve('RotZ').addBezier((currentFrame, z))
signature.asc
Description: Digital signature
