[Pkg-blender-maintainers] CVE-2007-1253: Eval injection
vulnerability in kmz_ImportWithMesh.py
Cyril Brulebois
cyril.brulebois at enst-bretagne.fr
Fri Mar 16 12:25:26 CET 2007
Florian Ernst <florian_ernst at gmx.net> (16/03/2007):
> Sorry to come back to this once more, but: in your opinion, are the
> issues on 64-bit architectures problematic enough to make blender
> unreleasable on these archs?
I doubt that. Did we have any single bugreport from people using it on
amd64 (which I believe is the most common 64-bit arch)? Not a single
one. All we get is X bugs... So I'd say that it is realasable as-is,
with proper indications of why it might be problematic.
> I must admit I'm quite a bit out of touch, yet I don't know about any
> issues when working on _one_ architecture but only when trying to load
> .blend files generated on another arch ...
Hmm, I'm not sure I'm getting your point (though it could be related to
my too few uptime), sorry. If you're wondering what is unsafe, that is
related to the fact that the binary format doesn't take into account the
size of the different (C) types, and that w/o proper handling, reading a
64-bit float and storing it into a 32-bit one won't do the right thing
(and vice versa).
> The blender developers confirmed that the Debian packages for 64-bit
> systems caused problems?
When I saw they didn't provide amd64 builds and that one has to play a
bit with #define's to get it compiled on 64-bit architecture, I went
there, and I talked about regression. They answered that each and every
release (I guess since opensourcing, since they were commercial builds
for many platforms, inc. 64-bit ones) was affected, thus we cannot call
it a regression. Did we get a single bugreport during the whole sarge
lifetime about that? You know the answer.
> Well, either way I'd hate to drop any packages without having
> sufficient reason to do so.
I can understand that RMs want to drop it, but it's quite sad that
there's no single case were it causes problem (yet, at least)...
The last point is: will people be able to reload their files saved on
buggy/unsafe platforms once safe releases are out? According the
attitude (that I'm not critizing, that's not my point) of the
developers, i.e. protecting themselves with "You shall not use Blender
on such architectures", I guess we can't promise that a transition tool
will exist. But again, that's already the case for all 64-bit archs in
sarge.
I'm sorry not being able to state clearly "yes" or "no", honestly I can
only give you as much information as possible.
Cheers,
--
Cyril
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070316/373909ab/attachment.pgp
More information about the Pkg-blender-maintainers
mailing list