Date: 23 December 2008
References: ESB-2008.0460
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1157 -- [Win][UNIX/Linux][Ubuntu]
Blender vulnerabilities
23 December 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: blender
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-4863 CVE-2008-1102
Ref: ESB-2008.0460
Original Bulletin: http://www.ubuntu.com/usn/usn-699-1
- --------------------------BEGIN INCLUDED TEXT--------------------
===========================================================
Ubuntu Security Notice USN-699-1 December 22, 2008
blender vulnerabilities
CVE-2008-1102, CVE-2008-4863
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
blender 2.41-1ubuntu4.1
After a standard system upgrade you need to restart Blender to effect
the necessary changes.
Details follow:
It was discovered that Blender did not correctly handle certain malformed
Radiance RGBE images. If a user were tricked into opening a .blend file
containing a specially crafted Radiance RGBE image, an attacker could execute
arbitrary code with the user's privileges. (CVE-2008-1102)
It was discovered that Blender did not properly sanitize the Python search
path. A local attacker could execute arbitrary code by inserting a specially
crafted Python file in the Blender working directory. (CVE-2008-4863)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1.diff.gz
Size/MD5: 25321 a6a2c9e48b5c274d1744d740b0d0501e
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1.dsc
Size/MD5: 947 2c501e9883db205fab612b6cd7b50d27
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41.orig.tar.gz
Size/MD5: 9464385 f6b54ff73c37aaca4d3f5babdd156fbf
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_amd64.deb
Size/MD5: 5399852 ee9c0adcf8fb0cf7021dd3d5132dab41
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_i386.deb
Size/MD5: 4848820 f68c68e0db4b4ea0b7c8eed29217e398
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_powerpc.deb
Size/MD5: 5467466 aee78b058760935e9cbe92e069c3ae19
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/b/blender/blender_2.41-1ubuntu4.1_sparc.deb
Size/MD5: 5110704 5f03470392a9c258d2116995b0a6e605
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSVAnnSh9+71yA2DNAQJemAP/T9Wd9Wd/ww/dj4i/yUvU1JsgUL5gY9up
z3+gPfBqwIj1OG0mf74srElJDHWJj3rw0hdjbIrUdIrONd2l1+0p0g4TnpVV0v7p
DMea5CCdBfOOUeUV/+R956B2Ml/KQilO/buPNT2GxONGCL7waW+1DN1jn5aPVO/t
ipqnrPZOV1o=
=AhPQ
-----END PGP SIGNATURE-----
|