Dear RMs, the upcoming 2.42a-6 of blender addresses CVE-2007-1253 (eval injection vulnerability in the kmz_ImportWithMesh.py script) currently affecting unstable/testing only. Upstream's take on this issue was to simply remove the buggy script, and we decided to follow suit, so this fix is basically a one-liner. However, there are some late documentation fixes and an update to debian/copyright we'd like to include as well, so I'm wondering whether you might find the attached debdiff acceptable. If not I will upload a new -6 containing just the changes you deem acceptable and ask for propagation to testing once it will be built. Cheers, Flo
diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog --- blender-2.42a/debian/changelog +++ blender-2.42a/debian/changelog @@ -1,3 +1,14 @@ +blender (2.42a-6) unstable; urgency=high + + * Security: No longer ship the kmz_ImportWithMesh.py script since it allows + user-assisted remote attackers to execute arbitrary Python code by + importing a crafted (1) KML or (2) KMZ file [CVE-2007-1253]. + * Updated copyright to reflect the actual license (Closes: #407917). + * Added documentation (NEWS, README.Debian) about 64-bit related risks. + * Added myself to the Uploaders. + + -- Cyril Brulebois <cyril.brulebois@enst-bretagne.fr> Wed, 14 Mar 2007 11:06:13 +0100 + blender (2.42a-5) unstable; urgency=high * urgency=high due to RC bugfix targetted at testing diff -u blender-2.42a/debian/control blender-2.42a/debian/control --- blender-2.42a/debian/control +++ blender-2.42a/debian/control @@ -2,7 +2,7 @@ Section: graphics Priority: optional Maintainer: Debian Blender Maintainers <pkg-blender-maintainers@lists.alioth.debian.org> -Uploaders: Masayuki Hatta (mhatta) <mhatta@debian.org>, Florian Ernst <florian@debian.org>, Wouter van Heyst <larstiq@larstiq.dyndns.org> +Uploaders: Masayuki Hatta (mhatta) <mhatta@debian.org>, Florian Ernst <florian@debian.org>, Wouter van Heyst <larstiq@larstiq.dyndns.org>, Cyril Brulebois <cyril.brulebois@enst-bretagne.fr> Build-Depends: debhelper (>= 5.0.37.2), dpatch, ftgl-dev (>= 2.0.9-1), gettext (>= 0.14.1), libgettextpo-dev, libglut-dev, libjpeg-dev, libpng-dev, libsdl-dev, libz-dev, python2.4-dev, python-central (>= 0.4.17), scons, libtiff4-dev, libopenexr-dev, libavformat-dev, libxi-dev, autotools-dev, pkg-config, g++-3.3 [mips mipsel] XS-Python-Version: 2.4 Standards-Version: 3.7.2 diff -u blender-2.42a/debian/rules blender-2.42a/debian/rules --- blender-2.42a/debian/rules +++ blender-2.42a/debian/rules @@ -120,6 +120,9 @@ cp $(CURDIR)/debian/blender.linda-overrides \ $(CURDIR)/debian/blender/usr/share/linda/overrides/blender + # Needed removal, insecure script, see CVE-2007-1253 + rm $(CURDIR)/debian/blender/usr/lib/blender/scripts/kmz_ImportWithMesh.py + # Build architecture-independent files here. binary-indep: build install diff -u blender-2.42a/debian/copyright blender-2.42a/debian/copyright --- blender-2.42a/debian/copyright +++ blender-2.42a/debian/copyright @@ -9,7 +9,7 @@ Basically, Blender is now GPL'd: - Copyright (C) 2002 Blender Foundation. + Copyright (C) 2002-2005 Blender Foundation. Blender is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,53 +24,42 @@ - On Debian GNU/Linux systems, the complete text of the GNU General - Public License can be found in /usr/share/common-licenses/GPL'. +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in /usr/share/common-licenses/GPL'. -However, they offer the following license as an alternative, too: - Blender License 1.0 (the "BL", see http://www.blender.org/BL/ ). +However, the following license is offered as an alternative: - Copyright (C) 2002 Blender Foundation. All Rights Reserved. - - For teams that don't want to operate under the GPL, we're also offering - this "non-GPL" Blender License option. This means that you can download - the latest sources and tools via FTP or CVS from our site and sign an - additional agreement with the Blender Foundation, so you can keep your - source modifications confidential. Contact the Blender Foundation via - email at license@blender.org so we can discuss how we handle the - practical matters. - - A signed agreement allows you to do business with proprietary code, make - special derived versions, sell executables, projects or services, - provided that: - - 1. The BL-ed code remains copyrighted by the original owners, and cannot - be transferred to other parties - - 2. The BL-ed code cannot be published or re-distributed in any way, and - only be available for the internal staff that works directly on the - software itself. Employees of partners with which you co-develop on the - projects that include BL-ed code are considered 'internal staff' also. - - 3. The BL-ed code can be used (sold, distributed) in parts or in its - whole only as an executable or as a compiled library/module and its - header files. - - 4. The usage of the name Blender or the Blender logo is not included in - this license. Instead 'including Blender Foundation release X' (or - similar) can be used, with 'X' the version number of the initial Blender - Foundation release which you started with. - - 5. Note that this BL has no authority over some of the external - libraries licenses which Blender links with. - - Additionally you get : - - 1. The right to use Blender Foundation source updates for a 1 year - period. - - 2. Support. Details to be determined by the additional agreement. - - You are invited to donate your proprietary changes back to the open - source community after a reasonable time period. You are of course free - to choose not to do this. + Blender License (the "BL", see http://www.blender.org/BL/ ). + + Copyright (C) 2002-2005 Blender Foundation. All Rights Reserved. + + This text supersedes the previous BL description, called Blender License 1.0. + + When the Blender source code was released in 2002, the Blender Foundation reserved + the right to offer licenses outside of the GNU GPL. This so-called "dual license" + model was chosen to provide potential revenues for the Blender Foundation. + + The BL has not been activated yet. Partially because; + + - there has to be a clear benefit for Blender itself and its community of + developers and users. + - the developers who have copyrighted additions to the source code need to approve + the decision. + - the (c) holder NaN Holding has to approve on a standard License Contract + + But most important; + + - the Blender Foundation is financially healthy, based on community support + (e-shop sales), sponsoring and subsidy grants + - current focus for the Blender Foundation is to not set up any commercial + activity related to Blender development. + - the GNU GPL provides sufficient freedom for third parties to conduct business + with Blender + + For these reasons we've decided to cancel the BL offering for an indefinite period. + + Third parties interested to discuss usage or exploitation of Blender can email + license@blender.org for further information. + + Ton Roosendaal + Chairman Blender Foundation. + June 2005 - End of BL terms and conditions. diff -u blender-2.42a/debian/README.Debian blender-2.42a/debian/README.Debian --- blender-2.42a/debian/README.Debian +++ blender-2.42a/debian/README.Debian @@ -1,18 +1,46 @@ +blender (2.42a-6) unstable; urgency=high + + * As of 2.43, one needs to use a ``YESIAMSTUPID'' macro in + source/creator/creator.c to be able to compile Blender on a 64-bit system. + This matter has not been advertised, but it mainly resides in the fact + that Blender is not 64-bit safe, in particular with respect to saved and + loaded files, especially when that happens between 32-bit and 64-bit + systems. Attention was paid to 64-bit systems, efforts were made, but not + enough to get a releasable version on those systems. + + * So, be aware that there might be issues with files manipulated on 64-bit + systems, although everything could be or look fine. The file format might + also change in further releases to make it 64-bit safe, which might lead + to incompatibilities with the files saved with the current 64-bit builds. + + * After the 2.43 release, the lead developer also promised (on Freenode, on + the #blendercoders chan): + ``We won't do another release without 64 bits blender!'' + This problem is a priority, and it will be addressed in CVS as soon as + possible, possibly for 2.44. + + * Interested readers might want to refer to the following thread on + upstream's bf-committers list: + http://projects.blender.org/pipermail/bf-committers/2007-January/017258.html + + -- Cyril Brulebois <cyril.brulebois@enst-bretagne.fr> Mon, 14 Mar 2007 11:46:00 +0100 + blender (2.40-1) unstable; urgency=low - As blender is generally trying to get the most out of your graphics hardware - it might trigger bugs in the corresponding drivers without actually being - responsible for any malfunctioning. - If you experience strange crashes please always try checking your setup first - as outlined in - http://dri.freedesktop.org/wiki/TestingAndDebugging - as well as the Debian bugreport - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273651 - I.e., try running blender via "LIBGL_ALWAYS_INDIRECT=1 blender" and see whether - this will resolve the problem for you. - - Furthermore, please note that starting with the 2.40-1 release blender will - quit writing its autosave files to /tmp but it will use $HOME/.blender/ - instead by default. + * As blender is generally trying to get the most out of your graphics + hardware it might trigger bugs in the corresponding drivers without + actually being responsible for any malfunctioning. If you experience + strange crashes please always try checking your setup first as outlined in + http://dri.freedesktop.org/wiki/TestingAndDebugging + + as well as the Debian bugreport + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273651 + + I.e., try running blender via "LIBGL_ALWAYS_INDIRECT=1 blender" and see + whether this will resolve the problem for you. + + * Furthermore, please note that starting with the 2.40-1 release blender + will quit writing its autosave files to /tmp but it will use + $HOME/.blender/ instead by default. -- Florian Ernst <florian@debian.org> Tue, 10 Jan 2006 13:26:43 +0100 only in patch2: unchanged: --- blender-2.42a.orig/debian/NEWS +++ blender-2.42a/debian/NEWS @@ -0,0 +1,16 @@ +blender (2.42a-6) unstable; urgency=high + + * Blender is not 64-bit safe (yet), in particular with respect to saved and + loaded files, especially when that happens between 32-bit and 64-bit + systems. Attention was paid to 64-bit systems, efforts were made, but not + enough to get a releasable version on those systems. + + * So, be aware that there might be issues with files manipulated on 64-bit + systems, although everything could be or look fine. The file format might + also change in further releases to make it 64-bit safe, which might lead + to incompatibilities with the files saved with the current 64-bit builds. + + * More information is available in the README.Debian file, available under + /usr/share/doc/blender/. + + -- Cyril Brulebois <cyril.brulebois@enst-bretagne.fr> Mon, 14 Mar 2007 12:01:01 +0100
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files only in first set of .debs, found in package blender
----------------------------------------------------------
-rw-r--r-- root/root /usr/lib/blender/scripts/kmz_ImportWithMesh.py
New files in second set of .debs, found in package blender
----------------------------------------------------------
-rw-r--r-- root/root /usr/share/doc/blender/NEWS.Debian.gz
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.42a-5-] {+2.42a-6+}
Depends: liba52-0.7.4, libavcodec0d (>= 0.cvs20060823), libavformat0d (>= 0.cvs20060823), libc6 (>= 2.3.6-6), libdc1394-13, libfreetype6 (>= 2.2), libgcc1 (>= 1:4.1.1-12), libgettextpo0, libgl1-mesa-glx | libgl1, libglu1-mesa | libglu1, libgsm1 (>= 1.0.10), libjpeg62, libogg0 (>= 1.1.3), libopenexr2c2a (>= 1.2.2), libpng12-0 (>= [-1.2.8rel),-] {+1.2.13-4),+} libraw1394-8, libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.1.1-12), libvorbis0a (>= 1.1.2), libvorbisenc2 (>= 1.1.2), libx11-6, libxi6, python2.4 (>= 2.3.90), zlib1g (>= 1:1.2.1), python-central (>= 0.5.8)
Installed-Size: [-16144-] {+15900+}
Attachment:
signature.asc
Description: Digital signature