tags 330895 patch thanks [EMAIL PROTECTED] BCCed On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote: > The bvh_import.py script supplied with the current Debian Stable and (I > think) unstable versions of Blender is vulnerable to arbitrary code > execution.
This time the patch is dpatch'yfied, and I'll also attach a patch that is closer to upstream, but includes more changes to the code. HTH, Flo
diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00list --- blender-2.36/debian/patches/00list +++ blender-2.36/debian/patches/00list @@ -2,0 +3 @@ +03_fix_arbitrary_code_execution_in_bvh_import.py diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,15 @@ +blender (2.36-1sarge1) unstable; urgency=high + + * patch release/scripts/bvh_import.py to use float instead of eval by + adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch, + thus preventing arbitrary code execution when importing a .bvh file; + this fix differs from the changes in + <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> + in that it doesn't provide the new checks introduced therein; + for reference, this is CVE-2005-3302 - closes: #330895 + + -- Florian Ernst <[EMAIL PROTECTED]> Wed, 2 Nov 2005 13:45:57 +0100 + blender (2.36-1) unstable; urgency=high * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch +++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch @@ -0,0 +1,47 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Ernst <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-3302, see bug#330895 + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/release/scripts/bvh_import.py +--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07 17:31:13.000000000 +0100 ++++ blender-2.36/release/scripts/bvh_import.py 2005-11-02 13:36:01.000000000 +0100 +@@ -331,7 +331,7 @@ + + name = lines[lineIdx][1] + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + lineIdx += 1 # Incriment to the next line (Channels) + + # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation, Zrotation] +@@ -367,7 +367,7 @@ + # Account for an end node + if lines[lineIdx][0] == 'End' and lines[lineIdx][1] == 'Site': # There is somtimes a name afetr 'End Site' but we will ignore it. + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + makeEnd(parent, prefix, offset) + + # Just so we can remove the Parents in a uniform way- End end never has kids +@@ -431,14 +431,14 @@ + if debug: Blender.Redraw() + while obIdx < len(objectList) -1: + if channelList[obIdx][0] != -1: +- objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) ++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][0]]))) + if channelList[obIdx][1] != -1: +- objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) ++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][1]]))) + if channelList[obIdx][2] != -1: +- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) ++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][2]]))) + + if channelList[obIdx][3] != '-1' or channelList[obIdx][4] != '-1' or channelList[obIdx][5] != '-1': +- x, y, z = eulerRotate(eval(lines[lineIdx][channelList[obIdx][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][channelList[obIdx][5]])) ++ x, y, z = eulerRotate(float(lines[lineIdx][channelList[obIdx][3]]), float(lines[lineIdx][channelList[obIdx][4]]), float(lines[lineIdx][channelList[obIdx][5]])) + objectList[obIdx].getIpo().getCurve('RotX').addBezier((currentFrame, x)) + objectList[obIdx].getIpo().getCurve('RotY').addBezier((currentFrame, y)) + objectList[obIdx].getIpo().getCurve('RotZ').addBezier((currentFrame, z))
diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00list --- blender-2.36/debian/patches/00list +++ blender-2.36/debian/patches/00list @@ -2,0 +3 @@ +03_fix_arbitrary_code_execution_in_bvh_import.py diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,12 @@ +blender (2.36-1sarge1) unstable; urgency=high + + * patch release/scripts/bvh_import.py to use float instead of eval by + adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch, + thus preventing arbitrary code execution when importing a .bvh file; + for reference, this is CVE-2005-3302 - closes: #330895 + + -- Florian Ernst <[EMAIL PROTECTED]> Sun, 6 Nov 2005 12:24:56 +0100 + blender (2.36-1) unstable; urgency=high * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch +++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch @@ -0,0 +1,67 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Ernst <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-3302, see bug#330895 and +## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> +## DP: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.6&r2=1.7&cvsroot=bf-blender> + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/release/scripts/bvh_import.py +--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07 17:31:13.000000000 +0100 ++++ blender-2.36/release/scripts/bvh_import.py 2005-11-06 12:20:43.000000000 +0100 +@@ -331,7 +331,7 @@ + + name = lines[lineIdx][1] + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + lineIdx += 1 # Incriment to the next line (Channels) + + # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation, Zrotation] +@@ -367,7 +367,7 @@ + # Account for an end node + if lines[lineIdx][0] == 'End' and lines[lineIdx][1] == 'Site': # There is somtimes a name afetr 'End Site' but we will ignore it. + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + makeEnd(parent, prefix, offset) + + # Just so we can remove the Parents in a uniform way- End end never has kids +@@ -431,14 +431,32 @@ + if debug: Blender.Redraw() + while obIdx < len(objectList) -1: + if channelList[obIdx][0] != -1: +- objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) ++ VAL0=lines[lineIdx][channelList[obIdx][0]] ++ if VAL0.find('.')==-1: ++ VAL0=VAL0[:len(VAL0)-6]+'.'+VAL0[-6:] ++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * float(VAL0))) + if channelList[obIdx][1] != -1: +- objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) ++ VAL1=lines[lineIdx][channelList[obIdx][1]] ++ if VAL1.find('.')==-1: ++ VAL1=VAL1[:len(VAL1)-6]+'.'+VAL1[-6:] ++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * float(VAL1))) + if channelList[obIdx][2] != -1: +- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) ++ VAL2=lines[lineIdx][channelList[obIdx][2]] ++ if VAL2.find('.')==-1: ++ VAL2=VAL2[:len(VAL2)-6]+'.'+VAL2[-6:] ++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * float(VAL2))) + + if channelList[obIdx][3] != '-1' or channelList[obIdx][4] != '-1' or channelList[obIdx][5] != '-1': +- x, y, z = eulerRotate(eval(lines[lineIdx][channelList[obIdx][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][channelList[obIdx][5]])) ++ VAL3=lines[lineIdx][channelList[obIdx][3]] ++ if VAL3.find('.')==-1: ++ VAL3=VAL3[:len(VAL3)-6]+'.'+VAL3[-6:] ++ VAL4=lines[lineIdx][channelList[obIdx][4]] ++ if VAL4.find('.')==-1: ++ VAL4=VAL4[:len(VAL4)-6]+'.'+VAL4[-6:] ++ VAL5=lines[lineIdx][channelList[obIdx][5]] ++ if VAL5.find('.')==-1: ++ VAL5=VAL5[:len(VAL5)-6]+'.'+VAL5[-6:] ++ x, y, z = eulerRotate(float(VAL3), float(VAL4), float(VAL5)) + objectList[obIdx].getIpo().getCurve('RotX').addBezier((currentFrame, x)) + objectList[obIdx].getIpo().getCurve('RotY').addBezier((currentFrame, y)) + objectList[obIdx].getIpo().getCurve('RotZ').addBezier((currentFrame, z))
signature.asc
Description: Digital signature
