GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Jan 14, 2010 1:26 am Post subject: [ GLSA 201001-07 ] Blender: Untrusted search path |
 |
|
Gentoo Linux Security Advisory
Title: Blender: Untrusted search path (GLSA 201001-07)
Severity: normal
Exploitable: local
Date: January 13, 2010
Bug(s): #245310
ID: 201001-07
Synopsis
An untrusted search path vulnerability in Blender might result in the
execution of arbitrary code.
Background
Blender is a 3D Creation/Animation/Publishing System.
Affected Packages
Package: media-gfx/blender
Vulnerable: < 2.48a-r3
Unaffected: >= 2.48a-r3
Architectures: All supported architectures
Description
Steffen Joeris reported that Blender's BPY_interface calls
PySys_SetArgv() in such a way that Python prepends sys.path with an
empty string.
Impact
A local attacker could entice a user to run "blender" from a directory
containing a specially crafted Python module, resulting in the
execution of arbitrary code with the privileges of the user running the
application.
Workaround
There is no known workaround at this time.
Resolution
All Blender users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/blender-2.48a-r3" |
References
CVE-2008-4863
Last edited by GLSA on Sun Nov 16, 2014 4:29 am; edited 2 times in total |
|
News & Announcements
