Debian Bug report logs -
#344398
CVE-2005-4470: Integer overhead in header parser for .blend import
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 22 Dec 2005 13:33:04 UTC
Severity: grave
Tags: fixed, patch, security
Found in version blender/2.37a-1.1
Fixed in version blender/2.40-1
Done: Florian Ernst <florian@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: blender
Version: 2.37a-1.1
Severity: grave
Tags: security
Justification: user security hole
An integer overflow in the header parser for .blend files can potentially
be exploited to execute code through a heap overflow. Please see
http://www.overflow.pl/adv/blenderinteger.txt for details.
This is CVE-2005-4470.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #10 received at 344398@bugs.debian.org (full text, mbox, reply):
On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:
> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see
> http://www.overflow.pl/adv/blenderinteger.txt for details.
>
> This is CVE-2005-4470.
Woody is non-free so most likely won't get updated.
Sarge is vulnerable.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Wouter van Heyst <larstiq@larstiq.dyndns.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #15 received at 344398@bugs.debian.org (full text, mbox, reply):
On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:
> Package: blender
> Version: 2.37a-1.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see
> http://www.overflow.pl/adv/blenderinteger.txt for details.
There was some uncertainty on how to actually exploit that. That also
leads me to not being sure
http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/blender/blenloader/intern/readfile.c.diff?r1=1.219&r2=1.220&cvsroot=bf-blender
is enough of a fix, is it?
I only understand the basics of heap-based overflows, I do not yet see
how to use this one. Someone explaining it would be very welcome.
Wouter van Heyst
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Florian Ernst <florian@uni-hd.de>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #20 received at 344398@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
# I consider upstream's fix to be sufficient, so:
tags 344398 patch
thanks control@b.d.o BCC'd
On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:
> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see
> http://www.overflow.pl/adv/blenderinteger.txt for details.
>
> This is CVE-2005-4470.
Moritz, thanks a lot for the pointer!
On Thu, Dec 22, 2005 at 01:37:29PM +0000, Steve Kemp wrote:
> Woody is non-free so most likely won't get updated.
Agreed, especially since there isn't a real source tarball (the
orig.tar.gz includes the binary for i386 and some additional files).
> Sarge is vulnerable.
Confirmed.
Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
execution when importing a .bvh file)? Last I heard you were going to
prepare an update unless anybody had an issue with the changes made,
yet I haven't heard of any such issues (or anything at all, to be
precise) since then...
On Thu, Dec 22, 2005 at 02:45:45PM +0100, Wouter van Heyst wrote:
> There was some uncertainty on how to actually exploit that. That also
> leads me to not being sure
> http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/blender/blenloader/intern/readfile.c.diff?r1=1.219&r2=1.220&cvsroot=bf-blender
> is enough of a fix, is it?
Wouter, thanks for your initiative!
FWIW, I've put together an update for Sarge's version of the blender
package based on the upstream change mentioned above, please find
attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
and this bug so these issues can be resolved for Sarge.
Please tell whether you deem those patches sufficient for a potential
future security advisory, and if not, please provide pointers at what
might be missing.
I'll be afk for the weekend, but I'll come back to this issue on
Monday.
Cheers,
Flo
[CVE-2005-3302_CVE-2005-4470.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Florian Ernst <florian@uni-hd.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #27 received at 344398@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:
> Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> execution when importing a .bvh file)? Last I heard you were going to
> prepare an update unless anybody had an issue with the changes made,
> yet I haven't heard of any such issues (or anything at all, to be
> precise) since then...
Utterly slipped my mind. :(
> FWIW, I've put together an update for Sarge's version of the blender
> package based on the upstream change mentioned above, please find
> attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> and this bug so these issues can be resolved for Sarge.
Great, thanks a lot.
> Please tell whether you deem those patches sufficient for a potential
> future security advisory, and if not, please provide pointers at what
> might be missing.
It looks good to me. I've built a package and if nobody has any
objections I'll upload later today.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Wouter van Heyst <larstiq@larstiq.dyndns.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #32 received at 344398@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 23, 2005 at 09:55:07AM +0000, Steve Kemp wrote:
> On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:
>
> > Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> > execution when importing a .bvh file)? Last I heard you were going to
> > prepare an update unless anybody had an issue with the changes made,
> > yet I haven't heard of any such issues (or anything at all, to be
> > precise) since then...
>
> Utterly slipped my mind. :(
>
> > FWIW, I've put together an update for Sarge's version of the blender
> > package based on the upstream change mentioned above, please find
> > attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> > and this bug so these issues can be resolved for Sarge.
>
> Great, thanks a lot.
>
> > Please tell whether you deem those patches sufficient for a potential
> > future security advisory, and if not, please provide pointers at what
> > might be missing.
>
> It looks good to me. I've built a package and if nobody has any
> objections I'll upload later today.
No objections from me.
Wouter van Heyst
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #37 received at 344398@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 23, 2005 at 05:56:59PM +0100, Wouter van Heyst wrote:
> > It looks good to me. I've built a package and if nobody has any
> > objections I'll upload later today.
>
> No objections from me.
Great I already uploaded the package ;)
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #42 received at 344398@bugs.debian.org (full text, mbox, reply):
Steve Kemp wrote:
> > Please tell whether you deem those patches sufficient for a potential
> > future security advisory, and if not, please provide pointers at what
> > might be missing.
>
> It looks good to me.
I can confirm the patch for CVE-2005-3302 is correct, I've sent a similar
patch a few weeks ago.
> I've built a package and if nobody has any
> objections I'll upload later today.
Are you aware of CVE-2005-3151? Real-world exploitability seems quite
unlikely, though.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>
:
Bug#344398
; Package blender
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>
.
(full text, mbox, link).
Message #47 received at 344398@bugs.debian.org (full text, mbox, reply):
Wouter van Heyst wrote:
> I only understand the basics of heap-based overflows, I do not yet see
> how to use this one. Someone explaining it would be very welcome.
The two most common ways to exploit integer problems are
a) Integers, which control a memory allocation: By letting this integer
wrap-around you create an empty or generally smaller than excepted
buffer, which the following write to memory overflows
b) Integers which are accidentially signed and for which the programmer
didn't implement sanity checks for negative values, which can lead
to a whole range of other problems.
Blender's problem is an instance of b).
Cheers,
Moritz
Tags added: pending
Request was from Florian Ernst <florian@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Florian Ernst <florian@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #54 received at 344398-close@bugs.debian.org (full text, mbox, reply):
Source: blender
Source-Version: 2.40-1
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.40-1.diff.gz
to pool/main/b/blender/blender_2.40-1.diff.gz
blender_2.40-1.dsc
to pool/main/b/blender/blender_2.40-1.dsc
blender_2.40-1_i386.deb
to pool/main/b/blender/blender_2.40-1_i386.deb
blender_2.40.orig.tar.gz
to pool/main/b/blender/blender_2.40.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 344398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Ernst <florian@debian.org> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Jan 2006 16:44:39 +0100
Source: blender
Binary: blender
Architecture: source i386
Version: 2.40-1
Distribution: unstable
Urgency: high
Maintainer: Debian Blender Maintainers <pkg-blender-maintainers@lists.alioth.debian.org>
Changed-By: Florian Ernst <florian@debian.org>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 307811 333958 344398 345442 346144
Changes:
blender (2.40-1) unstable; urgency=high
.
[ Wouter van Heyst ]
* Switch to team based maintenance
* New upstream release - closes: #345442, #346144
+ fixes CVE-2005-4470: Integer overhead in header parser for .blend import
- closes: #344398, urgency=high
* Acknowledge NMU - closes: #333958
.
[ Florian Ernst ]
* New upstream release includes own fixes for building on amd64/gcc4.0;
adjusting debian/patches/03_amd64_gcc40_fix.dpatch and then stop applying
it as it is apparently not needed anymore
* Add debian/patches/SConstruct.diff as well as debian/README.Alioth-CVS
explaining how to use it when building from upstream source + Alioth-CVS
* Add missing build-dependency on libgettextpo-dev, drop hardcoded Depends
on gettext - closes: #307811
* Add Build-Depends on libtiff4-dev for building and Suggests on libtiff4
for dlopen()'ing
* Add README.Debian explaining graphics issues such as random crashes and
interface weirdness, this might eventually be sufficient for resolving
bugs like #299441 and friends...
* Substitute 02_tmp_in_HOME.dpatch for 02_quit_blend_in_homedir.dpatch to
make sure all temporary user data (such as e.g. autosave files) is put
in $HOME/.blender in order to avoid a symlink attack, see bug#298167
* Extend 04_de_po_fix.dpatch
* Remove Conflicts/Replaces on blender-powerpc as this package only exists
in oldstable
* Streamline debian/rules, removing some unneeded cruft
* debian/control: add upstream homepage
* README.Debian: added note about quit.blend now being found in
$HOME/.blender
* debian/watch: added
* Merge (and extend) Ubuntu adjustments as applied by Daniel Holbach
+ ${python:Depends} and dh_python
+ auto-update config.guess via autotools-dev
* debian/source.lintian-overrides: added
* debian/blender.1: escape hyphens where necessary
Files:
3a0fc1a0c4a6ccdf17b97bdeb0c9b7bb 956 graphics optional blender_2.40-1.dsc
3b58026ca9d0b26292ef39d7e2353f31 9298365 graphics optional blender_2.40.orig.tar.gz
1ec60ee9f6e1e1b4afa3fb843586bcf4 15837 graphics optional blender_2.40-1.diff.gz
bf683f3bcc96e9d744205c23821b0f5d 5022926 graphics optional blender_2.40-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDy9G9s3U+TVFLPnwRAqHoAJ4xOLsbIecMtVkGVeJAQFaYN//FPwCeLmKL
0W11UFWSW5qjERVpRf6rwII=
=HuOC
-----END PGP SIGNATURE-----
Tags added: fixed
Request was from Steve Kemp <skx@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 27 Jun 2007 08:23:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.