Ubuntu: Blender vulnerabilities - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: March 20th, 2010

Linux Security Week: March 16th, 2010

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Ubuntu: Blender vulnerabilities

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

It was discovered that Blender did not correctly handle certain malformed Radiance RGBE images. If a user were tricked into opening a .blend file containing a specially crafted Radiance RGBE image, an attacker could execute arbitrary code with the user's privileges. (CVE-2008-1102)

===========================================================
Ubuntu Security Notice USN-699-1          December 22, 2008
blender vulnerabilities
CVE-2008-1102, CVE-2008-4863
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  blender                         2.41-1ubuntu4.1

After a standard system upgrade you need to restart Blender to effect
the necessary changes.

Details follow:

It was discovered that Blender did not correctly handle certain malformed
Radiance RGBE images. If a user were tricked into opening a .blend file
containing a specially crafted Radiance RGBE image, an attacker could execute
arbitrary code with the user's privileges. (CVE-2008-1102)

It was discovered that Blender did not properly sanitize the Python search
path. A local attacker could execute arbitrary code by inserting a specially
crafted Python file in the Blender working directory. (CVE-2008-4863)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1.diff.gz
      Size/MD5:    25321 a6a2c9e48b5c274d1744d740b0d0501e
    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1.dsc
      Size/MD5:      947 2c501e9883db205fab612b6cd7b50d27
    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41.orig.tar.gz
      Size/MD5:  9464385 f6b54ff73c37aaca4d3f5babdd156fbf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_amd64.deb
      Size/MD5:  5399852 ee9c0adcf8fb0cf7021dd3d5132dab41

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_i386.deb
      Size/MD5:  4848820 f68c68e0db4b4ea0b7c8eed29217e398

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_powerpc.deb
      Size/MD5:  5467466 aee78b058760935e9cbe92e069c3ae19

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_sparc.deb
      Size/MD5:  5110704 5f03470392a9c258d2116995b0a6e605