[Secure-testing-team] Bug#503632: blender: Python scripts load modules from current directory

James Vega jamessan at debian.org
Mon Oct 27 04:37:12 UTC 2008 

Package: blender
Version: 2.46+dfsg-4
Severity: grave
Tags: security
Justification: user security hole
Usertags: pythonpath

Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages blender depends on:
ii  gettext [libgettextpo0 0.17-4            GNU Internationalization utilities
pn  libalut0               <none>            (no description available)
pn  libavcodec51 | libavco <none>            (no description available)
pn  libavformat52 | libavf <none>            (no description available)
pn  libavutil49 | libavuti <none>            (no description available)
ii  libc6                  2.7-15            GNU C Library: Shared libraries
pn  libdc1394-22           <none>            (no description available)
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
pn  libftgl2               <none>            (no description available)
ii  libgcc1                1:4.3.2-1         GCC support library
ii  libgl1-mesa-glx [libgl 7.0.3-6           A free implementation of the OpenG
ii  libglu1-mesa [libglu1] 7.0.3-6           The OpenGL utility library (GLU)
pn  libgsm1                <none>            (no description available)
ii  libilmbase6            1.0.1-2+nmu2      several utility libraries from ILM
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libogg0                1.1.3-4           Ogg Bitstream Library
pn  libopenal1             <none>            (no description available)
ii  libopenexr6            1.6.1-3           runtime files for the OpenEXR imag
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libraw1394-8           1.3.0-4           library for direct access to IEEE 
pn  libsdl1.2debian        <none>            (no description available)
ii  libstdc++6             4.3.2-1           The GNU Standard C++ Library v3
pn  libswscale0 | libswsca <none>            (no description available)
ii  libtheora0             1.0~beta3-1       The Theora Video Compression Codec
ii  libvorbis0a            1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libvorbisenc2          1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxi6                 2:1.1.3-1         X11 Input extension library
ii  python                 2.5.2-2           An interactive high-level object-o
ii  python-support         0.8.6             automated rebuilding support for P
ii  python2.5              2.5.2-11.1        An interactive high-level object-o
ii  ttf-dejavu             2.25-3            Metapackage to pull in ttf-dejavu-
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

blender recommends no packages.

Versions of packages blender suggests:
ii  libtiff4                      3.8.2-11   Tag Image File Format (TIFF) libra
pn  yafray                        <none>     (no description available)

More information about the Secure-testing-team mailing list