Hi all
Summary:
Fact: Blender is vulnerable and the vulnerability is possible code execution
Question 1: Should we bother about updating blender in wheezy (considering the likelyhood of exploit, see below)?
Question 2: Do we have any protection mechanism in wheezy for writing outside allocated area?
Details:
I'm triaging blender. It has a huge list of CVEs where all of them are the same type.
The problem is that size * numberOfEntries can be larger than an integer.
The code looks like this:
pointer = MEM_mallocN(size * numberOfEntries)
So if a crafted file tells that numberOfEntries is large, as large that we have an integer overflow then the allocated memory size will be quite small. Then data will be written to that pointer and hence we have memory overwrite. I'm quite sure someone can craft something that overwrites executeable area meaning we have code excecution and I think this is quite serious.
This is possible if we do not have any protection mechanisms in wheezy that protect against writing data outside the (m)allocated area.
The patch is quite huge and it does not apply cleanly to wheezy so fixing this would be quite some work.
There are however two things to consider:
- The user of blender must load a .blender file from a malicious person.
- The user of blender must use the version in wheezy (well other versions are vulnerable too, but LTS covers wheezy only).
I think the likelihood of someone using the blender version in wheezy to be quite unlikely and someone crafting a malicious blender file that someone is tricked to load is even more unlikely.
So my question to you all is whether we should bother about fixing blender so close to end of life for wheezy LTS support.
I have added the package to dla-needed.txt with a note about this.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------