# I consider upstream's fix to be sufficient, so: tags 344398 patch thanks [EMAIL PROTECTED] BCC'd
On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote: > An integer overflow in the header parser for .blend files can potentially > be exploited to execute code through a heap overflow. Please see > http://www.overflow.pl/adv/blenderinteger.txt for details. > > This is CVE-2005-4470. Moritz, thanks a lot for the pointer! On Thu, Dec 22, 2005 at 01:37:29PM +0000, Steve Kemp wrote: > Woody is non-free so most likely won't get updated. Agreed, especially since there isn't a real source tarball (the orig.tar.gz includes the binary for i386 and some additional files). > Sarge is vulnerable. Confirmed. Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code execution when importing a .bvh file)? Last I heard you were going to prepare an update unless anybody had an issue with the changes made, yet I haven't heard of any such issues (or anything at all, to be precise) since then... On Thu, Dec 22, 2005 at 02:45:45PM +0100, Wouter van Heyst wrote: > There was some uncertainty on how to actually exploit that. That also > leads me to not being sure > http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/blender/blenloader/intern/readfile.c.diff?r1=1.219&r2=1.220&cvsroot=bf-blender > is enough of a fix, is it? Wouter, thanks for your initiative! FWIW, I've put together an update for Sarge's version of the blender package based on the upstream change mentioned above, please find attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895 and this bug so these issues can be resolved for Sarge. Please tell whether you deem those patches sufficient for a potential future security advisory, and if not, please provide pointers at what might be missing. I'll be afk for the weekend, but I'll come back to this issue on Monday. Cheers, Flo
diff -u blender-2.36/debian/patches/00list blender-2.36/debian/patches/00list --- blender-2.36/debian/patches/00list +++ blender-2.36/debian/patches/00list @@ -2,0 +3,2 @@ +03_fix_arbitrary_code_execution_in_bvh_import.py +04_fix_integer_overflow_in_readfile.c diff -u blender-2.36/debian/changelog blender-2.36/debian/changelog --- blender-2.36/debian/changelog +++ blender-2.36/debian/changelog @@ -1,3 +1,19 @@ +blender (2.36-1sarge1) stable-security; urgency=high + + * patch release/scripts/bvh_import.py to use float instead of eval by + adding 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch, + thus preventing arbitrary code execution when importing a .bvh file; + this fix differs from the changes in + <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender> + in that it doesn't provide the new checks introduced therein; + for reference, this is CVE-2005-3302 - closes: #330895 + * patch source/blender/blenloader/intern/readfile.c to fix BlenLoader + Integer Overflow by adding 04_fix_integer_overflow_in_readfile.c.dpatch, + thus preventing potential code execution via a heap overflow; + for reference, this is CVE-2005-4470 - closes: #344398 + + -- Florian Ernst <[EMAIL PROTECTED]> Thu, 22 Dec 2005 23:23:45 +0100 + blender (2.36-1) unstable; urgency=high * The "Back From The Gig" release. only in patch2: unchanged: --- blender-2.36.orig/debian/patches/04_fix_integer_overflow_in_readfile.c.dpatch +++ blender-2.36/debian/patches/04_fix_integer_overflow_in_readfile.c.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_fix_integer_overflow_in_readfile.c.dpatch by Florian Ernst <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-4470, see bug#344398. + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/source/blender/blenloader/intern/readfile.c blender-2.36/source/blender/blenloader/intern/readfile.c +--- blender-2.36~/source/blender/blenloader/intern/readfile.c 2004-12-10 15:50:39.000000000 +0100 ++++ blender-2.36/source/blender/blenloader/intern/readfile.c 2005-12-22 23:29:13.000000000 +0100 +@@ -601,6 +601,9 @@ + } + } + ++ /* make sure people are not trying to pass bad blend files */ ++ if (bhead.len < 0) fd->eof = 1; ++ + // bhead now contains the (converted) bhead structure. Now read + // the associated data and put everything in a BHeadN (creative naming !) + +@@ -615,6 +618,7 @@ + if (readsize != bhead.len) { + fd->eof = 1; + MEM_freeN(new_bhead); ++ new_bhead = 0; + } + } else { + fd->eof = 1; only in patch2: unchanged: --- blender-2.36.orig/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch +++ blender-2.36/debian/patches/03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch @@ -0,0 +1,47 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 03_fix_arbitrary_code_execution_in_bvh_import.py.dpatch by Florian Ernst <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for CVE-2005-3302, see bug#330895 + [EMAIL PROTECTED]@ +diff -urNad blender-2.36~/release/scripts/bvh_import.py blender-2.36/release/scripts/bvh_import.py +--- blender-2.36~/release/scripts/bvh_import.py 2004-11-07 17:31:13.000000000 +0100 ++++ blender-2.36/release/scripts/bvh_import.py 2005-11-02 13:36:01.000000000 +0100 +@@ -331,7 +331,7 @@ + + name = lines[lineIdx][1] + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + lineIdx += 1 # Incriment to the next line (Channels) + + # newChannel[Xposition, Yposition, Zposition, Xrotation, Yrotation, Zrotation] +@@ -367,7 +367,7 @@ + # Account for an end node + if lines[lineIdx][0] == 'End' and lines[lineIdx][1] == 'Site': # There is somtimes a name afetr 'End Site' but we will ignore it. + lineIdx += 2 # Incriment to the next line (Offset) +- offset = ( eval(lines[lineIdx][1]), eval(lines[lineIdx][2]), eval(lines[lineIdx][3]) ) ++ offset = ( float(lines[lineIdx][1]), float(lines[lineIdx][2]), float(lines[lineIdx][3]) ) + makeEnd(parent, prefix, offset) + + # Just so we can remove the Parents in a uniform way- End end never has kids +@@ -431,14 +431,14 @@ + if debug: Blender.Redraw() + while obIdx < len(objectList) -1: + if channelList[obIdx][0] != -1: +- objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][0]]))) ++ objectList[obIdx].getIpo().getCurve('LocX').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][0]]))) + if channelList[obIdx][1] != -1: +- objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][1]]))) ++ objectList[obIdx].getIpo().getCurve('LocY').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][1]]))) + if channelList[obIdx][2] != -1: +- objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * eval(lines[lineIdx][channelList[obIdx][2]]))) ++ objectList[obIdx].getIpo().getCurve('LocZ').addBezier((currentFrame, scale * float(lines[lineIdx][channelList[obIdx][2]]))) + + if channelList[obIdx][3] != '-1' or channelList[obIdx][4] != '-1' or channelList[obIdx][5] != '-1': +- x, y, z = eulerRotate(eval(lines[lineIdx][channelList[obIdx][3]]), eval(lines[lineIdx][channelList[obIdx][4]]), eval(lines[lineIdx][channelList[obIdx][5]])) ++ x, y, z = eulerRotate(float(lines[lineIdx][channelList[obIdx][3]]), float(lines[lineIdx][channelList[obIdx][4]]), float(lines[lineIdx][channelList[obIdx][5]])) + objectList[obIdx].getIpo().getCurve('RotX').addBezier((currentFrame, x)) + objectList[obIdx].getIpo().getCurve('RotY').addBezier((currentFrame, y)) + objectList[obIdx].getIpo().getCurve('RotZ').addBezier((currentFrame, z))
signature.asc
Description: Digital signature
