On Tue, Mar 27, 2007 at 09:50:16PM +0200, Moritz Muehlenhoff wrote: > Florian Ernst wrote: > > > > Can you make an etch upload with only the removal of the buggy script? > > ^^^^ > > Just for clarity's sake, you mean uploading to testing-proposed-updates? > > Yes. > > > And it will get accepted? > > The change in question would warrant a DSA, so I'm quite sure it will > get accepted if it only contains the change below. It's easily reviewable > and fixes a genuine security problem. Very well, so here we go. :) RMs, please accept blender_2.42a-5etch1. Debdiffs attached. > > Sorry for being dense, I hope you can clarify, > > Cheers, > > Flo > > I hope that helped. Yes, thanks Moritz! Cheers, Flo
diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog --- blender-2.42a/debian/changelog +++ blender-2.42a/debian/changelog @@ -1,3 +1,12 @@ +blender (2.42a-5etch1) testing-proposed-updates; urgency=high + + * Upload to t-p-u after talking to the security team + * Security: No longer ship the kmz_ImportWithMesh.py script since it allows + user-assisted remote attackers to execute arbitrary Python code by + importing a crafted (1) KML or (2) KMZ file [CVE-2007-1253]. + + -- Florian Ernst <florian@debian.org> Wed, 28 Mar 2007 00:45:05 +0200 + blender (2.42a-5) unstable; urgency=high * urgency=high due to RC bugfix targetted at testing diff -u blender-2.42a/debian/rules blender-2.42a/debian/rules --- blender-2.42a/debian/rules +++ blender-2.42a/debian/rules @@ -120,6 +120,9 @@ cp $(CURDIR)/debian/blender.linda-overrides \ $(CURDIR)/debian/blender/usr/share/linda/overrides/blender + # Needed removal, insecure script, see CVE-2007-1253 + rm $(CURDIR)/debian/blender/usr/lib/blender/scripts/kmz_ImportWithMesh.py + # Build architecture-independent files here. binary-indep: build install
[The following lists of changes regard files as different if they have different names, permissions or owners.] Files only in first set of .debs, found in package blender ---------------------------------------------------------- -rw-r--r-- root/root /usr/lib/blender/scripts/kmz_ImportWithMesh.py Control files: lines which differ (wdiff format) ------------------------------------------------ Version: [-2.42a-5-] {+2.42a-5etch1+} Depends: liba52-0.7.4, libavcodec0d (>= 0.cvs20060823), libavformat0d (>= 0.cvs20060823), libc6 (>= 2.3.6-6), libdc1394-13, libfreetype6 (>= 2.2), libgcc1 (>= 1:4.1.1-12), libgettextpo0, libgl1-mesa-glx | libgl1, libglu1-mesa | libglu1, libgsm1 (>= 1.0.10), libjpeg62, libogg0 (>= 1.1.3), libopenexr2c2a (>= 1.2.2), libpng12-0 (>= [-1.2.8rel),-] {+1.2.13-4),+} libraw1394-8, libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.1.1-12), libvorbis0a (>= 1.1.2), libvorbisenc2 (>= 1.1.2), libx11-6, libxi6, python2.4 (>= 2.3.90), zlib1g (>= 1:1.2.1), python-central (>= 0.5.8) Installed-Size: [-16144-] {+16112+}
Attachment:
signature.asc
Description: Digital signature