[gentoo-announce] [ GLSA 200805-12 ] Blender: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200805-12 ] Blender: Multiple vulnerabilities
Date:	Mon, 12 May 2008 21:15:37
Message-Id:	`4828B333.7090505@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200805-12

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: Blender: Multiple vulnerabilities

12

      Date: May 12, 2008

13

      Bugs: #219008

14

        ID: 200805-12

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities in Blender might result in the remote

22

execution of arbitrary code.

23

24

Background

25

==========

26

27

Blender is a 3D creation, animation and publishing program.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package            /  Vulnerable  /                    Unaffected

34

    -------------------------------------------------------------------

35

  1  media-gfx/blender      < 2.43-r2                       >= 2.43-r2

36

37

Description

38

===========

39

40

Stefan Cornelius (Secunia Research) reported a boundary error within

41

the imb_loadhdr() function in in the file

42

source/blender/imbuf/intern/radiance_hdr.c when processing RGBE images

43

(CVE-2008-1102). Multiple vulnerabilities involving insecure usage of

44

temporary files have also been reported (CVE-2008-1103).

45

46

Impact

47

======

48

49

A remote attacker could entice a user to open a specially crafted file

50

(.hdr or .blend), possibly resulting in the remote execution of

51

arbitrary code with the privileges of the user running the application.

52

53

Workaround

54

==========

55

56

There is no known workaround at this time.

57

58

Resolution

59

==========

60

61

All Blender users should upgrade to the latest version:

62

63

    # emerge --sync

64

    # emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43-r2"

65

66

References

67

==========

68

69

  [ 1 ] CVE-2008-1102

70

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1102

71

  [ 2 ] CVE-2008-1103

72

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103

73

74

Availability

75

============

76

77

This GLSA and any updates to it are available for viewing at

78

the Gentoo Security Website:

79

80

  http://security.gentoo.org/glsa/glsa-200805-12.xml

81

82

Concerns?

83

=========

84

85

Security is a primary focus of Gentoo Linux and ensuring the

86

confidentiality and security of our users machines is of utmost

87

importance to us. Any security concerns should be addressed to

88

security@g.o or alternatively, you may file a bug at

89

http://bugs.gentoo.org.

90

91

License

92

=======

93

94

Copyright 2008 Gentoo Foundation, Inc; referenced text

95

belongs to its owner(s).

96

97

The contents of this document are licensed under the

98

Creative Commons - Attribution / Share Alike license.

99

100

http://creativecommons.org/licenses/by-sa/2.5

101

-----BEGIN PGP SIGNATURE-----

102

Version: GnuPG v2.0.7 (GNU/Linux)

103

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

104

105

iD8DBQFIKLMzuhJ+ozIKI5gRAgL3AKCiBLr2pD/Bq/9uEDKPojzTXO4pFQCgjPy6

106

gFqDzljblBc16l4TluwgFF0=

107

=tuDP

108

-----END PGP SIGNATURE-----

109

--

110

gentoo-announce@l.g.o mailing list

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200805-12
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: Blender: Multiple vulnerabilities
12	Date: May 12, 2008
13	Bugs: #219008
14	ID: 200805-12
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities in Blender might result in the remote
22	execution of arbitrary code.
23
24	Background
25	==========
26
27	Blender is a 3D creation, animation and publishing program.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 media-gfx/blender < 2.43-r2 >= 2.43-r2
36
37	Description
38	===========
39
40	Stefan Cornelius (Secunia Research) reported a boundary error within
41	the imb_loadhdr() function in in the file
42	source/blender/imbuf/intern/radiance_hdr.c when processing RGBE images
43	(CVE-2008-1102). Multiple vulnerabilities involving insecure usage of
44	temporary files have also been reported (CVE-2008-1103).
45
46	Impact
47	======
48
49	A remote attacker could entice a user to open a specially crafted file
50	(.hdr or .blend), possibly resulting in the remote execution of
51	arbitrary code with the privileges of the user running the application.
52
53	Workaround
54	==========
55
56	There is no known workaround at this time.
57
58	Resolution
59	==========
60
61	All Blender users should upgrade to the latest version:
62
63	# emerge --sync
64	# emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43-r2"
65
66	References
67	==========
68
69	[ 1 ] CVE-2008-1102
70	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1102
71	[ 2 ] CVE-2008-1103
72	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103
73
74	Availability
75	============
76
77	This GLSA and any updates to it are available for viewing at
78	the Gentoo Security Website:
79
80	http://security.gentoo.org/glsa/glsa-200805-12.xml
81
82	Concerns?
83	=========
84
85	Security is a primary focus of Gentoo Linux and ensuring the
86	confidentiality and security of our users machines is of utmost
87	importance to us. Any security concerns should be addressed to
88	security@g.o or alternatively, you may file a bug at
89	http://bugs.gentoo.org.
90
91	License
92	=======
93
94	Copyright 2008 Gentoo Foundation, Inc; referenced text
95	belongs to its owner(s).
96
97	The contents of this document are licensed under the
98	Creative Commons - Attribution / Share Alike license.
99
100	http://creativecommons.org/licenses/by-sa/2.5
101	-----BEGIN PGP SIGNATURE-----
102	Version: GnuPG v2.0.7 (GNU/Linux)
103	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
104
105	iD8DBQFIKLMzuhJ+ozIKI5gRAgL3AKCiBLr2pD/Bq/9uEDKPojzTXO4pFQCgjPy6
106	gFqDzljblBc16l4TluwgFF0=
107	=tuDP
108	-----END PGP SIGNATURE-----
109	--
110	gentoo-announce@l.g.o mailing list

Gentoo Archives: gentoo-announce