[Pkg-blender-maintainers] CVE-2007-1253: Eval injection
vulnerability in kmz_ImportWithMesh.py
Florian Ernst
florian_ernst at gmx.net
Fri Mar 16 10:33:26 CET 2007
On Thu, Mar 15, 2007 at 10:22:26AM +0100, Cyril Brulebois wrote:
> BTW, Developers' Reference contains in 5.8.5.3 (Preparing packages to
> address security issues): ``The upload should have urgency=high.''
>
> I believe I followed these instructions as close as I could since that
> was my first security upload preparation. Anyway, I guess that Steve
> knows what he talks about...
That's my take as well. :)
> > Well, how severe are the issues on 64-bit systems really?
>
> Really, my girlfriend has been using blender on her amd64 for ages and
> didn't notice anything wrong with it (2.42 and 2.43), although I guess
> she didn't test intensively loading files generated on i386 (you know,
> guys "asking" on forums "do no wok!!!" and putting their files online so
> that one can help).
>
> The sad thing is that even blender developers seem not to know really,
> since they have to audit the code to state about the possible issues.
> Although I understand that they prefer stating "don't use it on 64-bit
> arch's, it is not safe!" over having eventual bugreports and complaints
> about possible issues, not communicating is... well... pff.
Sorry to come back to this once more, but:
in your opinion, are the issues on 64-bit architectures problematic
enough to make blender unreleasable on these archs?
I must admit I'm quite a bit out of touch, yet I don't know about any
issues when working on _one_ architecture but only when trying to load
.blend files generated on another arch ...
> Shall we purely drop all 64-bit architectures? If so, that's a
> regression (from a Debian PoV) since there used to be binaries for them
> (putting the amd64 case apart, not being an official port for sarge),
> even though these packages were affected too (that's been confirmed by
> blender developers).
The blender developers confirmed that the Debian packages for 64-bit
systems caused problems?
Well, either way I'd hate to drop any packages without having sufficient
reason to do so.
> Then I guess that the blender package would be dropped from etch... The
> almost-ready (copyright, Wouter? ;-)) 2.43 is IMHO really suitable for
> experimental/unstable and could be installable as-is from etch for some
> time. Then we could think of providing backports of 2.44 to etch once it
> is out...
>
> (And I don't really see any alternative...)
>
> I already told you about how I felt disappointed by that issue, but it's
> not going any better. /me eager to see 2.44 out and that forgotten...
Yeah, I feel your pain, and I'm sorry to stir this once more.
Cheers,
Flo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070316/f48d6423/attachment.pgp
More information about the Pkg-blender-maintainers
mailing list