Re: one-liner for CVE-2007-1253 coupled with some late non-code fixes

To: Florian Ernst <florian_ernst@gmx.net>
Cc: Debian Release Management <debian-release@lists.debian.org>
Subject: Re: one-liner for CVE-2007-1253 coupled with some late non-code fixes
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 15 Mar 2007 01:09:59 -0700
Message-id: <[🔎] 20070315080959.GA19232@mauritius.dodds.net>
Mail-followup-to: Florian Ernst <florian_ernst@gmx.net>, Debian Release Management <debian-release@lists.debian.org>
In-reply-to: <[🔎] 20070314142014.GG22897@rechenknecht.dynip.yawsp.de>
References: <[🔎] 20070314142014.GG22897@rechenknecht.dynip.yawsp.de>

On Wed, Mar 14, 2007 at 03:20:14PM +0100, Florian Ernst wrote:
> the upcoming 2.42a-6 of blender addresses CVE-2007-1253 (eval injection
> vulnerability in the kmz_ImportWithMesh.py script) currently affecting
> unstable/testing only.
> Upstream's take on this issue was to simply remove the buggy script, and
> we decided to follow suit, so this fix is basically a one-liner.

> However, there are some late documentation fixes and an update to
> debian/copyright we'd like to include as well, so I'm wondering whether
> you might find the attached debdiff acceptable.

> If not I will upload a new -6 containing just the changes you deem
> acceptable and ask for propagation to testing once it will be built.

AFAICS, a "user-assisted remote attacker" is not a high-priority security
hole.  So even that doesn't seem to be a reason for a freeze exception;
please check with the security team on whether this should be fixed via the
security upload queues.

> +  * As of 2.43, one needs to use a ``YESIAMSTUPID'' macro in
> +    source/creator/creator.c to be able to compile Blender on a 64-bit system.
> +    This matter has not been advertised, but it mainly resides in the fact
> +    that Blender is not 64-bit safe, in particular with respect to saved and
> +    loaded files, especially when that happens between 32-bit and 64-bit
> +    systems. Attention was paid to 64-bit systems, efforts were made, but not
> +    enough to get a releasable version on those systems.

Um, this is not an adequate solution.  If the package is not "a releasable
version on [64-bit] systems", then the binaries should be removed from the
release, not just documented.

> --- blender-2.42a.orig/debian/NEWS
> +++ blender-2.42a/debian/NEWS
> @@ -0,0 +1,16 @@
> +blender (2.42a-6) unstable; urgency=high
> +
> +  * Blender is not 64-bit safe (yet), in particular with respect to saved and
> +    loaded files, especially when that happens between 32-bit and 64-bit
> +    systems. Attention was paid to 64-bit systems, efforts were made, but not
> +    enough to get a releasable version on those systems.
> +
> +  * So, be aware that there might be issues with files manipulated on 64-bit
> +    systems, although everything could be or look fine. The file format might
> +    also change in further releases to make it 64-bit safe, which might lead
> +    to incompatibilities with the files saved with the current 64-bit builds.
> +
> +  * More information is available in the README.Debian file, available under
> +    /usr/share/doc/blender/.
> +
> + -- Cyril Brulebois <cyril.brulebois@enst-bretagne.fr>  Mon, 14 Mar 2007 12:01:01 +0100

It also doesn't seem to be "news", therefore doesn't belong in NEWS.Debian?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

References:
- one-liner for CVE-2007-1253 coupled with some late non-code fixes
  - From: Florian Ernst <florian_ernst@gmx.net>

Prev by Date: ca-certificates_20070303 breaks unrelated software
Next by Date: Re: Please process doc-debian 3.1.5 before the etch release (in NEW for two months)
Previous by thread: one-liner for CVE-2007-1253 coupled with some late non-code fixes
Next by thread: Please allow boinc 5.4.11-5 into etch.
Index(es):
- Date
- Thread