blender [CVE-2005-3302]: Arbitrary code execution when importing a .bvh file

Debian Bug report logs - #330895
blender [CVE-2005-3302]: Arbitrary code execution when importing a .bvh file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joxean Koret <joxeankoret@yahoo.es>

To: submit@bugs.debian.org

Subject: blender: Arbitrary code execution when importing a .bvh file

Date: Fri, 30 Sep 2005 12:51:35 +0200

[Message part 1 (text/plain, inline)]

Subject: blender: Arbitrary code execution when importing a .bvh file
Package: blender
Version: 2.36-1
Severity: grave
Justification: user security hole

The bvh_import.py script supplied with the current Debian Stable and (I
think) unstable versions of Blender is vulnerable to arbitrary code
execution.

The problem was corrected at 2005/01/22 in the CVS but the main package 
doesn't come with the fixed script.

Attached goes the e-mail sended to the Blender people,  one
working exploit to test the vulnerability under Debian, and 2 proof of
concepts.

Regards,
Joxean Koret

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages blender depends on:
ii  gettext [libg 0.14.4-2                   GNU Internationalization
utilities
ii  libc6         2.3.2.ds1-22               GNU C Library: Shared
libraries an
ii  libfreetype6  2.1.7-2.4                  FreeType 2 font engine,
shared lib
ii  libgcc1       1:3.4.3-13                 GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG
Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable
library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-13                 The GNU Standard C++
Library v3
ii  libx11-6      4.3.0.dfsg.1-14            X Window System protocol
client li
ii  python2.3     2.3.5-4                    An interactive high-level
object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-14            Mesa 3D graphics library
[XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-14            Mesa OpenGL utility library
[XFree
ii  xlibs         4.3.0.dfsg.1-14            X Keyboard Extension (XKB)
configu
ii  zlib1g        1:1.2.2-4.sarge.2          compression library -
runtime

-- no debconf information

[exploit.bvh (text/plain, attachment)]

[first.mail.txt (text/plain, attachment)]

[poc1.bvh (text/plain, attachment)]

[poc2.bvh (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 330895@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian@uni-hd.de>

To: 330895@bugs.debian.org

Subject: Re: Bug#330895: blender: Arbitrary code execution when importing a .bvh file

Date: Tue, 1 Nov 2005 18:24:56 +0100

[Message part 1 (text/plain, inline)]

On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was non-free anyway).

stable (2.36-1) is affected, I've attached a naive patch to remove all
'eval's in the script, which in fact basically is what upstream did.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.

testing isn't affected anymore as blender has been removed from
testing due to general bugginess.

unstable (2.36-1 on alpha mips mipsel, 2.37a-1 on all other archs) is
partially affected: while 2.37a includes the upstream fix for this
problem this version hasn't been built on all archs due to bug#333958.

HTH,
Flo

[CVE-2005-3302.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 330895@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian@uni-hd.de>

To: 330895@bugs.debian.org

Subject: Re: Bug#330895: blender: Arbitrary code execution when importing a .bvh file

Date: Sun, 6 Nov 2005 12:28:46 +0100

[Message part 1 (text/plain, inline)]

tags 330895 patch
thanks control@b.d.o BCCed

On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

This time the patch is dpatch'yfied, and I'll also attach a patch that
is closer to upstream, but includes more changes to the code.

HTH,
Flo

[CVE-2005-3302_dpatch.diff (text/plain, attachment)]

[CVE-2005-3302_upstream_dpatch.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 330895-done@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian@uni-hd.de>

To: team@security.debian.org

Subject: Re: Bug#330895: [CVE-2005-3302] blender: Arbitrary code execution when importing a .bvh file

Date: Wed, 16 Nov 2005 15:54:07 +0100

[Message part 1 (text/plain, inline)]

Package: blender
Version: 2.37a-1

Dear Security Team,

as this package's maintainer hasn't shown any visible reaction to this
issue I now try to take care...

On Fri, 30 Sep 2005 12:51:35 +0200, Joxean Koret wrote:
> The bvh_import.py script supplied with the current Debian Stable and (I
> think) unstable versions of Blender is vulnerable to arbitrary code
> execution.

I can confirm that this particular vulnerability could trick a user
into executing arbitrary commands with his rights. All an attacker has
to do is to provide a specially crafted bvh file (used for Motion
Capture data) for the user to import into a blender scene, and all
commands contained therein will be executed in the user's environment.
The demo exploit attached to Joxean's mail works under blender-2.36.


Oldstable (2.23-0.1) isn't affected as it shipped a version of blender
that didn't include this script yet (and was in non-free).

Stable (2.36-1) is affected, I've attached two patches that remove all
'eval's in the script, which in fact basically is what upstream did.
The first patch (CVE-2005-3302_upstream_dpatch.diff) essentially
contains what upstream did to resolve this issue, while the second
patch (CVE-2005-3302_dpatch.diff) contains what I considered to be a
minimal set of changes to remove this particular vulnerability.
Please see
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/bvh_import.py.diff?r1=1.4&r2=1.5&cvsroot=bf-blender>
for upstream details.
I can confirm that these changes prevent the exploit of this
vulnerability, tested on both blender-2.36 and 2.37a

Testing isn't affected anymore as blender has been removed from
Testing due to general bugginess.

Unstable was partially affected: while 2.37a-1 already included the
upstream fix for this problem this version hadn't been built on all
archs due to bug#333958. However, this FTBFS has been resolved as of
2.37a-1.1, so right now all versions currently present in Unstable are
_not_ vulnerable. Consequently I now close this bug for the
corresponding version in Unstable with this mail.


Please issue an update for Stable when you think it is due time.

HTH,
Flo

[CVE-2005-3302_upstream_dpatch.diff (text/plain, attachment)]

[CVE-2005-3302_dpatch.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.