Bug#332413: CAN-2005-3151: Bufferoverflow in blenderplayer arg parsing
Dan McGrath
danmcgrath.ca at gmail.com
Tue May 15 06:20:53 UTC 2012
Well, I did some testing (on Ubuntu 12.04, but with multiple versions
of blenderplayer) and thought I would add to the report a bit.
Personally, I think this might be gone, but I will leave this up to
you guys. Here is what I found in some tests with the exploit code.
Looking at the shell code, it seems to ultimately end in "/bin/sh", so
I would assume it give me a shell upon successful invocation. While I
was never able to get a sh shell, I did notice some versions would
give telltale output.
blender-2.37a-linux-glibc2.2.5-i386-static gave:
--------------------
<snip>
Loading <garbage> /bin/sh failed: No error
<snip>
--------------------
(gdb reports: warning: Selected architecture i386 is not compatible
with reported target architecture i386:x86-64)
blender-2.60a-linux-glibc27-x86_64/blenderplayer gave:
--------------------
Loading /home/dan/blender-build/build/linux/bin/<garbage chars>failed:
Error: Unable to open
"blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer":
Not a directory.
<snip>
Bus error (core dumped)
--------------------
blender-2.61-linux-glibc27-x86_64 gives
--------------------
Loading /home/dan/blender-build/build/linux/bin/<garbage>failed:
Error: Unable to open
"blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer/blenderplayer":
Not a directory.
<snip>
Bus error (core dumped)
--------------------
So it seems that despite not being able to get an sh shell (cpu NX
protection perhaps?), the suspicious errors ("no error" in 2.37a, and
core dumps in the others), that the problem seems to be gone (no core
dumps or buss errors) in 2.62 release and up (including the latest svn
revision).
If need be, I can probably poke around and try find the revisions this
was fixed, if you need to cheery pick the patch for this bug for the
package. Anyways, hope this helps save some investigation time. o/
More information about the pkg-multimedia-maintainers
mailing list