[SRM] Re: blender stable update for CVE-2008-4863

[Cyril Brulebois <kibi@debian.org>]

Nico Golde <nion@debian.org> (24/11/2008):
> CVE-2008-4863[0]:
> | Untrusted search path vulnerability in BPY_interface in Blender 2.46
> | allows local users to execute arbitrary code via a Trojan horse Python
> | file in the current working directory, related to an erroneous setting
> | of sys.path by the PySys_SetArgv function.
> 
> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.

Hello Stable Release Managers,

please let me know if the following diff (against 2.42a-7.1+etch1) seems
acceptable to you.

Mraw,
KiBi.

diff -u blender-2.42a/debian/changelog blender-2.42a/debian/changelog
--- blender-2.42a/debian/changelog
+++ blender-2.42a/debian/changelog
@@ -1,3 +1,18 @@
+blender (2.42a-8) stable; urgency=low
+
+  * Include patch by James Vega (thanks!) to fix security bug: Blender's
+    BPY_interface was calling PySys_SetArgv so that sys.path was prepended
+    with an empty string, resulting in possible arbitrary code execution,
+    when the working directory contains a file named like one that
+    Blender's python scripts try to import (Closes: #503632). That patch
+    removes empty elements from sys.path:
+     - debian/patches/01_sanitize_sys.path
+    This is CVE-2008-4863.
+  * Acknowledge previous NMU by the security team, thanks Devin Carraway.
+  * Update Maintainer/Uploaders.
+
+ -- Cyril Brulebois <kibi@debian.org>  Sat, 29 Nov 2008 18:48:10 +0100
+
 blender (2.42a-7.1+etch1) stable-security; urgency=high
 
   * Non-maintainer upload by the security team
diff -u blender-2.42a/debian/control blender-2.42a/debian/control
--- blender-2.42a/debian/control
+++ blender-2.42a/debian/control
@@ -1,8 +1,7 @@
 Source: blender
 Section: graphics
 Priority: optional
-Maintainer: Debian Blender Maintainers <pkg-blender-maintainers@lists.alioth.debian.org>
-Uploaders: Masayuki Hatta (mhatta) <mhatta@debian.org>, Florian Ernst <florian@debian.org>, Wouter van Heyst <larstiq@larstiq.dyndns.org>, Cyril Brulebois <cyril.brulebois@enst-bretagne.fr>
+Maintainer: Cyril Brulebois <kibi@debian.org>
 Build-Depends: debhelper (>= 5.0.37.2), dpatch, ftgl-dev (>= 2.0.9-1), gettext (>= 0.14.1), libgettextpo-dev, libglut-dev, libjpeg-dev, libpng-dev, libsdl-dev, libz-dev, python2.4-dev, python-central (>= 0.4.17), scons, libtiff4-dev, libopenexr-dev, libavformat-dev, libxi-dev, autotools-dev, pkg-config, g++-3.3 [mips mipsel]
 XS-Python-Version: 2.4
 Standards-Version: 3.7.2
diff -u blender-2.42a/debian/patches/00list blender-2.42a/debian/patches/00list
--- blender-2.42a/debian/patches/00list
+++ blender-2.42a/debian/patches/00list
@@ -1,3 +1,4 @@
+01_sanitize_sys.path
 02_tmp_in_HOME
 04_de_po_fix
 10_gnukfreebsd_support
only in patch2:
unchanged:
--- blender-2.42a.orig/debian/patches/01_sanitize_sys.path
+++ blender-2.42a/debian/patches/01_sanitize_sys.path
@@ -0,0 +1,20 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## debian/patches/01_sanitize_sys.path by James Vega <jamessan@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No longer load modules from current directory in Python scripts.
+## DP: CVE-2008-4863, Debian bug #503632
+@@DPATCH@@
+--- a/source/blender/python/BPY_interface.c
++++ b/source/blender/python/BPY_interface.c
+@@ -225,6 +225,10 @@
+ 	//Start the interpreter
+ 	Py_Initialize(  );
+ 	PySys_SetArgv( argc_copy, argv_copy );
++	/* Sanitize sys.path to prevent relative imports loading modules in
++	 * the current working directory
++	 */
++	PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+ 
+ 	/* Initialize thread support (also acquires lock) */
+ 	PyEval_InitThreads();

Attachment: signature.asc
Description: Digital signature