[Pkg-blender-maintainers] CVE-2007-1253: Eval injection vulnerability in kmz_ImportWithMesh.py

Cyril Brulebois cyril.brulebois at enst-bretagne.fr
Wed Mar 14 12:24:05 CET 2007 

Florian Ernst <florian_ernst at gmx.net> (14/03/2007):
> Yeah, this quite looks like the way to go. Furthermore, it seems this
> script was first introduced in 2.42, so this issue doesn't even affect
> stable or oldstable. Thus I'll let the Debian security teams know they
> don't need to worry about this.

Heh, I was checking that when your mail came in. :-)

> No much that needs to be done extra, see above. Removing the file from
> the binary package will apparently be sufficient, so this turns out to
> be a one-liner. *phew*

I have to say that I didn't expect it to be so quick. I didn't add any
"-" at the beginning of the line so that we can think of removing this
line when no longer needed (2.43 or later).

> Hmm, a documentation update. Normally OK, but as of yesterday's new
> release update[0] those aren't explicitely blessed. Well, I'd say
> include them nonetheless as they aren't code changes and won't affect
> any functionality.

Irk, I wasn't at home yesterday and didn't read it carefully, just read
the kernel/d-i bits and planned schedule... But as you said, these are
pure documentation changes, and furthermore, the Blender team wasn't
that communicative about this problem, so we didn't get the appropriate
information with a perfect timing. I hope it will be OK.

> І'll be available, so just drop me some note and I will react asap. :)

Please fetch the .dsc and .diff.gz files and tell me your mind about
them. I'm not sure about the security team will open a bug in the BTS to
document this problem or if we just have to upload the package without
any bug number reference (I mean "Closes: #bug", not the CVE reference).

They will be uploaded at the following location as soon as the build is
finished (and I'm sure that the script isn't present in the binary):
<http://kibi.sysif.net/pub/packages/blender-security/>.

Cheers,

-- 
Cyril Brulebois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070314/e1a3c4a5/attachment-0001.pgp

More information about the Pkg-blender-maintainers mailing list