CVE-2005-4470: Integer overhead in header parser for .blend import

Debian Bug report logs - #344398
CVE-2005-4470: Integer overhead in header parser for .blend import

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Thu, 22 Dec 2005 14:30:46 +0100

Package: blender
Version: 2.37a-1.1
Severity: grave
Tags: security
Justification: user security hole

An integer overflow in the header parser for .blend files can potentially
be exploited to execute code through a heap overflow. Please see 
http://www.overflow.pl/adv/blenderinteger.txt for details.

This is CVE-2005-4470.

Cheers,
          Moritz

-- System Information:
Debian Release: 3.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Message #10 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: 344398@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Thu, 22 Dec 2005 13:37:29 +0000

On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:

> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see 
> http://www.overflow.pl/adv/blenderinteger.txt for details.
> 
> This is CVE-2005-4470.

  Woody is non-free so most likely won't get updated.

  Sarge is vulnerable.

Steve
--

Message #15 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Wouter van Heyst <larstiq@larstiq.dyndns.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 344398@bugs.debian.org

Subject: Re: Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Thu, 22 Dec 2005 14:45:45 +0100

On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:
> Package: blender
> Version: 2.37a-1.1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see 
> http://www.overflow.pl/adv/blenderinteger.txt for details.

There was some uncertainty on how to actually exploit that. That also
leads me to not being sure
http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/blender/blenloader/intern/readfile.c.diff?r1=1.219&r2=1.220&cvsroot=bf-blender
is enough of a fix, is it? 

I only understand the basics of heap-based overflows, I do not yet see
how to use this one. Someone explaining it would be very welcome.

Wouter van Heyst

Message #20 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian@uni-hd.de>

To: Moritz Muehlenhoff <jmm@inutil.org>, Steve Kemp <skx@debian.org>, Wouter van Heyst <larstiq@larstiq.dyndns.org>

Cc: 344398@bugs.debian.org, team@security.debian.org

Subject: Re: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 00:10:00 +0100

[Message part 1 (text/plain, inline)]

# I consider upstream's fix to be sufficient, so:
tags 344398 patch
thanks control@b.d.o BCC'd

On Thu, Dec 22, 2005 at 02:30:46PM +0100, Moritz Muehlenhoff wrote:
> An integer overflow in the header parser for .blend files can potentially
> be exploited to execute code through a heap overflow. Please see 
> http://www.overflow.pl/adv/blenderinteger.txt for details.
> 
> This is CVE-2005-4470.

Moritz, thanks a lot for the pointer!


On Thu, Dec 22, 2005 at 01:37:29PM +0000, Steve Kemp wrote:
>   Woody is non-free so most likely won't get updated.

Agreed, especially since there isn't a real source tarball (the
orig.tar.gz includes the binary for i386 and some additional files).

>   Sarge is vulnerable.

Confirmed.

Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
execution when importing a .bvh file)? Last I heard you were going to
prepare an update unless anybody had an issue with the changes made,
yet I haven't heard of any such issues (or anything at all, to be
precise) since then...


On Thu, Dec 22, 2005 at 02:45:45PM +0100, Wouter van Heyst wrote:
> There was some uncertainty on how to actually exploit that. That also
> leads me to not being sure
> http://projects.blender.org/viewcvs/viewcvs.cgi/blender/source/blender/blenloader/intern/readfile.c.diff?r1=1.219&r2=1.220&cvsroot=bf-blender
> is enough of a fix, is it? 

Wouter, thanks for your initiative!

FWIW, I've put together an update for Sarge's version of the blender
package based on the upstream change mentioned above, please find
attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
and this bug so these issues can be resolved for Sarge.
Please tell whether you deem those patches sufficient for a potential
future security advisory, and if not, please provide pointers at what
might be missing.

I'll be afk for the weekend, but I'll come back to this issue on
Monday.

Cheers,
Flo

[CVE-2005-3302_CVE-2005-4470.diff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Florian Ernst <florian@uni-hd.de>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Steve Kemp <skx@debian.org>, Wouter van Heyst <larstiq@larstiq.dyndns.org>, 344398@bugs.debian.org, team@security.debian.org

Subject: Re: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 09:55:07 +0000

On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:

> Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> execution when importing a .bvh file)? Last I heard you were going to
> prepare an update unless anybody had an issue with the changes made,
> yet I haven't heard of any such issues (or anything at all, to be
> precise) since then...

  Utterly slipped my mind.  :(

> FWIW, I've put together an update for Sarge's version of the blender
> package based on the upstream change mentioned above, please find
> attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> and this bug so these issues can be resolved for Sarge.

  Great, thanks a lot.

> Please tell whether you deem those patches sufficient for a potential
> future security advisory, and if not, please provide pointers at what
> might be missing.

  It looks good to me.  I've built a package and if nobody has any 
 objections I'll upload later today.

Steve
--

Message #32 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Wouter van Heyst <larstiq@larstiq.dyndns.org>

To: Steve Kemp <skx@debian.org>, 344398@bugs.debian.org

Subject: Re: Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 17:56:59 +0100

On Fri, Dec 23, 2005 at 09:55:07AM +0000, Steve Kemp wrote:
> On Fri, Dec 23, 2005 at 12:10:00AM +0100, Florian Ernst wrote:
> 
> > Steve, btw, any news on CVE-2005-3302 aka bug#330895 (arbitrary code
> > execution when importing a .bvh file)? Last I heard you were going to
> > prepare an update unless anybody had an issue with the changes made,
> > yet I haven't heard of any such issues (or anything at all, to be
> > precise) since then...
> 
>   Utterly slipped my mind.  :(
> 
> > FWIW, I've put together an update for Sarge's version of the blender
> > package based on the upstream change mentioned above, please find
> > attached a cumulative interdiff for both CVE-2005-3302 aka bug#330895
> > and this bug so these issues can be resolved for Sarge.
> 
>   Great, thanks a lot.
> 
> > Please tell whether you deem those patches sufficient for a potential
> > future security advisory, and if not, please provide pointers at what
> > might be missing.
> 
>   It looks good to me.  I've built a package and if nobody has any 
>  objections I'll upload later today.

No objections from me.

Wouter van Heyst

Message #37 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Wouter van Heyst <larstiq@larstiq.dyndns.org>

Cc: 344398@bugs.debian.org

Subject: Re: Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 16:58:33 +0000

On Fri, Dec 23, 2005 at 05:56:59PM +0100, Wouter van Heyst wrote:

> >   It looks good to me.  I've built a package and if nobody has any 
> >  objections I'll upload later today.
> 
> No objections from me.

  Great I already uploaded the package ;)

Steve
--

Message #42 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Steve Kemp <skx@debian.org>

Cc: Florian Ernst <florian@uni-hd.de>, Wouter van Heyst <larstiq@larstiq.dyndns.org>, 344398@bugs.debian.org, team@security.debian.org

Subject: Re: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 21:30:51 +0100

Steve Kemp wrote:
> > Please tell whether you deem those patches sufficient for a potential
> > future security advisory, and if not, please provide pointers at what
> > might be missing.
> 
>   It looks good to me. 

I can confirm the patch for CVE-2005-3302 is correct, I've sent a similar
patch a few weeks ago.

> I've built a package and if nobody has any 
>  objections I'll upload later today.

Are you aware of CVE-2005-3151? Real-world exploitability seems quite
unlikely, though.

Cheers,
        Moritz

Message #47 received at 344398@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Wouter van Heyst <larstiq@larstiq.dyndns.org>

Cc: 344398@bugs.debian.org

Subject: Re: Bug#344398: CVE-2005-4470: Integer overhead in header parser for .blend import

Date: Fri, 23 Dec 2005 22:27:36 +0100

Wouter van Heyst wrote:
> I only understand the basics of heap-based overflows, I do not yet see
> how to use this one. Someone explaining it would be very welcome.

The two most common ways to exploit integer problems are 
a) Integers, which control a memory allocation: By letting this integer
   wrap-around you create an empty or generally smaller than excepted
   buffer, which the following write to memory overflows
b) Integers which are accidentially signed and for which the programmer
   didn't implement sanity checks for negative values, which can lead
   to a whole range of other problems.

Blender's problem is an instance of b).

Cheers,
        Moritz

Message #54 received at 344398-close@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian@debian.org>

To: 344398-close@bugs.debian.org

Subject: Bug#344398: fixed in blender 2.40-1

Date: Mon, 16 Jan 2006 09:32:10 -0800

Source: blender
Source-Version: 2.40-1

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.40-1.diff.gz
  to pool/main/b/blender/blender_2.40-1.diff.gz
blender_2.40-1.dsc
  to pool/main/b/blender/blender_2.40-1.dsc
blender_2.40-1_i386.deb
  to pool/main/b/blender/blender_2.40-1_i386.deb
blender_2.40.orig.tar.gz
  to pool/main/b/blender/blender_2.40.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 344398@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Ernst <florian@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Jan 2006 16:44:39 +0100
Source: blender
Binary: blender
Architecture: source i386
Version: 2.40-1
Distribution: unstable
Urgency: high
Maintainer: Debian Blender Maintainers <pkg-blender-maintainers@lists.alioth.debian.org>
Changed-By: Florian Ernst <florian@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 307811 333958 344398 345442 346144
Changes: 
 blender (2.40-1) unstable; urgency=high
 .
   [ Wouter van Heyst ]
   * Switch to team based maintenance
   * New upstream release - closes: #345442, #346144
     + fixes CVE-2005-4470: Integer overhead in header parser for .blend import
       - closes: #344398, urgency=high
   * Acknowledge NMU - closes: #333958
 .
   [ Florian Ernst ]
   * New upstream release includes own fixes for building on amd64/gcc4.0;
     adjusting debian/patches/03_amd64_gcc40_fix.dpatch and then stop applying
     it as it is apparently not needed anymore
   * Add debian/patches/SConstruct.diff as well as debian/README.Alioth-CVS
     explaining how to use it when building from upstream source + Alioth-CVS
   * Add missing build-dependency on libgettextpo-dev, drop hardcoded Depends
     on gettext - closes: #307811
   * Add Build-Depends on libtiff4-dev for building and Suggests on libtiff4
     for dlopen()'ing
   * Add README.Debian explaining graphics issues such as random crashes and
     interface weirdness, this might eventually be sufficient for resolving
     bugs like #299441 and friends...
   * Substitute 02_tmp_in_HOME.dpatch for 02_quit_blend_in_homedir.dpatch to
     make sure all temporary user data (such as e.g. autosave files) is put
     in $HOME/.blender in order to avoid a symlink attack, see bug#298167
   * Extend 04_de_po_fix.dpatch
   * Remove Conflicts/Replaces on blender-powerpc as this package only exists
     in oldstable
   * Streamline debian/rules, removing some unneeded cruft
   * debian/control: add upstream homepage
   * README.Debian: added note about quit.blend now being found in
     $HOME/.blender
   * debian/watch: added
   * Merge (and extend) Ubuntu adjustments as applied by Daniel Holbach
     + ${python:Depends} and dh_python
     + auto-update config.guess via autotools-dev
   * debian/source.lintian-overrides: added
   * debian/blender.1: escape hyphens where necessary
Files: 
 3a0fc1a0c4a6ccdf17b97bdeb0c9b7bb 956 graphics optional blender_2.40-1.dsc
 3b58026ca9d0b26292ef39d7e2353f31 9298365 graphics optional blender_2.40.orig.tar.gz
 1ec60ee9f6e1e1b4afa3fb843586bcf4 15837 graphics optional blender_2.40-1.diff.gz
 bf683f3bcc96e9d744205c23821b0f5d 5022926 graphics optional blender_2.40-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDy9G9s3U+TVFLPnwRAqHoAJ4xOLsbIecMtVkGVeJAQFaYN//FPwCeLmKL
0W11UFWSW5qjERVpRf6rwII=
=HuOC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.