Sat May 17 10:33:15 2008 UTC ()
Fix CVEs CVE-2008-1102 and CVE-2008-1102 for blender:
- Fix arbitrary code execution vulnerability in .bend files which contain
a crafted RGBE file (CVE-2008-1102).
- Create various temporary files in safer paths (CVE-2008-1103).
(tonnerre)
diff -r1.60 -r1.61 pkgsrc/graphics/blender/Makefile
diff -r1.23 -r1.24 pkgsrc/graphics/blender/distinfo
diff -r0 -r1.7 pkgsrc/graphics/blender/patches/patch-ae
diff -r0 -r1.6 pkgsrc/graphics/blender/patches/patch-af
diff -r0 -r1.6 pkgsrc/graphics/blender/patches/patch-ag
--- pkgsrc/graphics/blender/Makefile 2008/01/18 05:06:38 1.60
+++ pkgsrc/graphics/blender/Makefile 2008/05/17 10:33:15 1.61
| @@ -1,17 +1,17 @@ | | | @@ -1,17 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.60 2008/01/18 05:06:38 tnn Exp $ | | 1 | # $NetBSD: Makefile,v 1.61 2008/05/17 10:33:15 tonnerre Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= blender-2.45 | | 3 | DISTNAME= blender-2.45 |
| 4 | PKGREVISION= 1 | | 4 | PKGREVISION= 2 |
| 5 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
| 6 | MASTER_SITES= ftp://ftp.cs.umn.edu/pub/blender.org/source/ \ | | 6 | MASTER_SITES= ftp://ftp.cs.umn.edu/pub/blender.org/source/ \ |
| 7 | http://download.blender.org/source/ | | 7 | http://download.blender.org/source/ |
| 8 | | | 8 | |
| 9 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 10 | HOMEPAGE= http://www.blender.org/ | | 10 | HOMEPAGE= http://www.blender.org/ |
| 11 | COMMENT= Fully integrated 3D graphics creation suite | | 11 | COMMENT= Fully integrated 3D graphics creation suite |
| 12 | | | 12 | |
| 13 | USE_TOOLS+= gmake | | 13 | USE_TOOLS+= gmake |
| 14 | USE_LANGUAGES= c c++ | | 14 | USE_LANGUAGES= c c++ |
| 15 | USE_CMAKE= yes | | 15 | USE_CMAKE= yes |
| 16 | CMAKE_ARG_PATH= .. | | 16 | CMAKE_ARG_PATH= .. |
| 17 | CONFIGURE_DIRS= _build | | 17 | CONFIGURE_DIRS= _build |
--- pkgsrc/graphics/blender/distinfo 2008/01/04 19:56:45 1.23
+++ pkgsrc/graphics/blender/distinfo 2008/05/17 10:33:15 1.24
| @@ -1,10 +1,13 @@ | | | @@ -1,10 +1,13 @@ |
| 1 | $NetBSD: distinfo,v 1.23 2008/01/04 19:56:45 markd Exp $ | | 1 | $NetBSD: distinfo,v 1.24 2008/05/17 10:33:15 tonnerre Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (blender-2.45.tar.gz) = ff66ec5f0129fd04a2ba5c063627ef13033c0598 | | 3 | SHA1 (blender-2.45.tar.gz) = ff66ec5f0129fd04a2ba5c063627ef13033c0598 |
| 4 | RMD160 (blender-2.45.tar.gz) = fd39b59de0f4d770fe26ce39d51356e98b1ec8ea | | 4 | RMD160 (blender-2.45.tar.gz) = fd39b59de0f4d770fe26ce39d51356e98b1ec8ea |
| 5 | Size (blender-2.45.tar.gz) = 14226829 bytes | | 5 | Size (blender-2.45.tar.gz) = 14226829 bytes |
| 6 | SHA1 (patch-ab) = 7f5b4966bd08333f5d726cf9b6d7c2300e62d711 | | 6 | SHA1 (patch-ab) = 7f5b4966bd08333f5d726cf9b6d7c2300e62d711 |
| 7 | SHA1 (patch-ac) = dcfa14519404915a69bd626c8a5a6029d2535ca2 | | 7 | SHA1 (patch-ac) = dcfa14519404915a69bd626c8a5a6029d2535ca2 |
| 8 | SHA1 (patch-ad) = cfec8537593071381687df1f37906a6f28eb45cf | | 8 | SHA1 (patch-ad) = cfec8537593071381687df1f37906a6f28eb45cf |
| | | 9 | SHA1 (patch-ae) = 45ea375bc405948d4eadc786379f8a8b700c8d91 |
| | | 10 | SHA1 (patch-af) = ce57bcf10e9291ed156e54b66d154950b0079eb9 |
| | | 11 | SHA1 (patch-ag) = bd3fae7b10349dd2c1ef45a18346d980530e01a4 |
| 9 | SHA1 (patch-ah) = b45f534b4c5850da13e9b421f73e33c8d079696f | | 12 | SHA1 (patch-ah) = b45f534b4c5850da13e9b421f73e33c8d079696f |
| 10 | SHA1 (patch-ai) = 8909e9d698b9370bb756b81c41812a05790da419 | | 13 | SHA1 (patch-ai) = 8909e9d698b9370bb756b81c41812a05790da419 |
$NetBSD: patch-ae,v 1.7 2008/05/17 10:33:15 tonnerre Exp $
--- source/blender/src/usiblender.c.orig 2007-09-18 04:58:42.000000000 +0000
+++ source/blender/src/usiblender.c
@@ -172,10 +172,12 @@ static void init_userdef_file(void)
U.tb_rightmouse= 5;
}
if(U.mixbufsize==0) U.mixbufsize= 2048;
- if (BLI_streq(U.tempdir, "/")) {
+ if (BLI_streq(U.tempdir, "/") || BLI_streq(U.tempdir, "/tmp/")) {
char *tmp= getenv("TEMP");
+ char *home= getenv("HOME");
- strcpy(U.tempdir, tmp?tmp:"/tmp/");
+ strcpy(U.tempdir, tmp?tmp:home);
+ if (!tmp) strcat(U.tempdir, "/.blender/");
}
if (U.savetime <= 0) {
U.savetime = 1;
$NetBSD: patch-af,v 1.6 2008/05/17 10:33:15 tonnerre Exp $
--- source/blender/blenkernel/intern/blender.c.orig 2007-09-18 04:58:33.000000000 +0000
+++ source/blender/blenkernel/intern/blender.c
@@ -714,7 +714,7 @@ void BKE_undo_save_quit(void)
BLI_make_file_string("/", str, U.tempdir, "quit.blend");
- file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
+ file = open(str,O_BINARY|O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0666);
if(file == -1) {
printf("Unable to save %s\n", str);
return;
$NetBSD: patch-ag,v 1.6 2008/05/17 10:33:15 tonnerre Exp $
--- source/blender/imbuf/intern/radiance_hdr.c.orig 2007-09-18 04:58:45.000000000 +0000
+++ source/blender/imbuf/intern/radiance_hdr.c
@@ -191,7 +191,8 @@ struct ImBuf *imb_loadhdr(unsigned char
}
}
if (found) {
- sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width);
+ if (sscanf((char *)&mem[x+1], "%79s %d %79s %d", (char*)&oriY, &height,
+ (char*)&oriX, &width) != 4) return NULL;
/* find end of this line, data right behind it */
ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n');