Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: debian-release@lists.debian.org
Subject: Re: [Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
From: Florian Ernst <florian_ernst@gmx.net>
Date: Wed, 28 Mar 2007 12:34:12 +0200
Message-id: <[🔎] 20070328103412.GC4885@rechenknecht.dynip.yawsp.de>
In-reply-to: <20070327195016.GA3552@galadriel.inutil.org>
References: <20070314102359.GB22897@rechenknecht.dynip.yawsp.de> <20070325212412.GC3143@galadriel.inutil.org> <20070327083759.GA4885@rechenknecht.dynip.yawsp.de> <20070327195016.GA3552@galadriel.inutil.org>

On Tue, Mar 27, 2007 at 09:50:16PM +0200, Moritz Muehlenhoff wrote:
> Florian Ernst wrote:
> 
> > > Can you make an etch upload with only the removal of the buggy script?
> >                   ^^^^
> > Just for clarity's sake, you mean uploading to testing-proposed-updates?
> 
> Yes.
> 
> > And it will get accepted?
> 
> The change in question would warrant a DSA, so I'm quite sure it will
> get accepted if it only contains the change below. It's easily reviewable
> and fixes a genuine security problem.

Very well, so here we go. :)

RMs, please accept blender_2.42a-5etch1. Debdiffs attached.

> > Sorry for being dense, I hope you can clarify,
> > Cheers,
> > Flo
> 
> I hope that helped.

Yes, thanks Moritz!

Cheers,
Flo

diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog
--- blender-2.42a/debian/changelog
+++ blender-2.42a/debian/changelog
@@ -1,3 +1,12 @@
+blender (2.42a-5etch1) testing-proposed-updates; urgency=high
+
+  * Upload to t-p-u after talking to the security team
+  * Security: No longer ship the kmz_ImportWithMesh.py script since it allows
+    user-assisted remote attackers to execute arbitrary Python code by
+    importing a crafted (1) KML or (2) KMZ file [CVE-2007-1253].
+
+ -- Florian Ernst <florian@debian.org>  Wed, 28 Mar 2007 00:45:05 +0200
+
 blender (2.42a-5) unstable; urgency=high
 
   * urgency=high due to RC bugfix targetted at testing
diff -u blender-2.42a/debian/rules blender-2.42a/debian/rules
--- blender-2.42a/debian/rules
+++ blender-2.42a/debian/rules
@@ -120,6 +120,9 @@
 	cp $(CURDIR)/debian/blender.linda-overrides \
 	   $(CURDIR)/debian/blender/usr/share/linda/overrides/blender
 
+	# Needed removal, insecure script, see CVE-2007-1253
+	rm $(CURDIR)/debian/blender/usr/lib/blender/scripts/kmz_ImportWithMesh.py
+
 
 # Build architecture-independent files here.
 binary-indep: build install

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files only in first set of .debs, found in package blender
----------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/blender/scripts/kmz_ImportWithMesh.py


Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.42a-5-] {+2.42a-5etch1+}
Depends: liba52-0.7.4, libavcodec0d (>= 0.cvs20060823), libavformat0d (>= 0.cvs20060823), libc6 (>= 2.3.6-6), libdc1394-13, libfreetype6 (>= 2.2), libgcc1 (>= 1:4.1.1-12), libgettextpo0, libgl1-mesa-glx | libgl1, libglu1-mesa | libglu1, libgsm1 (>= 1.0.10), libjpeg62, libogg0 (>= 1.1.3), libopenexr2c2a (>= 1.2.2), libpng12-0 (>= [-1.2.8rel),-] {+1.2.13-4),+} libraw1394-8, libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.1.1-12), libvorbis0a (>= 1.1.2), libvorbisenc2 (>= 1.1.2), libx11-6, libxi6, python2.4 (>= 2.3.90), zlib1g (>= 1:1.2.1), python-central (>= 0.5.8)
Installed-Size: [-16144-] {+16112+}

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: xmms security update for testing
Next by Date: Re: Accepted blender 2.42a-5etch1 (source i386)
Previous by thread: Re: xmms security update for testing
Next by thread: Re: Accepted blender 2.42a-5etch1 (source i386)
Index(es):
- Date
- Thread