Re: one-liner for CVE-2007-1253 coupled with some late non-code fixes
On Wed, Mar 14, 2007 at 03:20:14PM +0100, Florian Ernst wrote:
> the upcoming 2.42a-6 of blender addresses CVE-2007-1253 (eval injection
> vulnerability in the kmz_ImportWithMesh.py script) currently affecting
> unstable/testing only.
> Upstream's take on this issue was to simply remove the buggy script, and
> we decided to follow suit, so this fix is basically a one-liner.
> However, there are some late documentation fixes and an update to
> debian/copyright we'd like to include as well, so I'm wondering whether
> you might find the attached debdiff acceptable.
> If not I will upload a new -6 containing just the changes you deem
> acceptable and ask for propagation to testing once it will be built.
AFAICS, a "user-assisted remote attacker" is not a high-priority security
hole. So even that doesn't seem to be a reason for a freeze exception;
please check with the security team on whether this should be fixed via the
security upload queues.
> + * As of 2.43, one needs to use a ``YESIAMSTUPID'' macro in
> + source/creator/creator.c to be able to compile Blender on a 64-bit system.
> + This matter has not been advertised, but it mainly resides in the fact
> + that Blender is not 64-bit safe, in particular with respect to saved and
> + loaded files, especially when that happens between 32-bit and 64-bit
> + systems. Attention was paid to 64-bit systems, efforts were made, but not
> + enough to get a releasable version on those systems.
Um, this is not an adequate solution. If the package is not "a releasable
version on [64-bit] systems", then the binaries should be removed from the
release, not just documented.
> --- blender-2.42a.orig/debian/NEWS
> +++ blender-2.42a/debian/NEWS
> @@ -0,0 +1,16 @@
> +blender (2.42a-6) unstable; urgency=high
> +
> + * Blender is not 64-bit safe (yet), in particular with respect to saved and
> + loaded files, especially when that happens between 32-bit and 64-bit
> + systems. Attention was paid to 64-bit systems, efforts were made, but not
> + enough to get a releasable version on those systems.
> +
> + * So, be aware that there might be issues with files manipulated on 64-bit
> + systems, although everything could be or look fine. The file format might
> + also change in further releases to make it 64-bit safe, which might lead
> + to incompatibilities with the files saved with the current 64-bit builds.
> +
> + * More information is available in the README.Debian file, available under
> + /usr/share/doc/blender/.
> +
> + -- Cyril Brulebois <cyril.brulebois@enst-bretagne.fr> Mon, 14 Mar 2007 12:01:01 +0100
It also doesn't seem to be "news", therefore doesn't belong in NEWS.Debian?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: