Sat May 17 10:33:15 2008 UTC ()
Fix CVEs CVE-2008-1102 and CVE-2008-1102 for blender:
 - Fix arbitrary code execution vulnerability in .bend files which contain
   a crafted RGBE file (CVE-2008-1102).
 - Create various temporary files in safer paths (CVE-2008-1103).


(tonnerre)
diff -r1.60 -r1.61 pkgsrc/graphics/blender/Makefile
diff -r1.23 -r1.24 pkgsrc/graphics/blender/distinfo
diff -r0 -r1.7 pkgsrc/graphics/blender/patches/patch-ae
diff -r0 -r1.6 pkgsrc/graphics/blender/patches/patch-af
diff -r0 -r1.6 pkgsrc/graphics/blender/patches/patch-ag
cvs diff -r1.60 -r1.61 pkgsrc/graphics/blender/Makefile (expand / switch to context diff)
--- pkgsrc/graphics/blender/Makefile 2008/01/18 05:06:38 1.60
+++ pkgsrc/graphics/blender/Makefile 2008/05/17 10:33:15 1.61
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.60 2008/01/18 05:06:38 tnn Exp $
+# $NetBSD: Makefile,v 1.61 2008/05/17 10:33:15 tonnerre Exp $
 
 DISTNAME=	blender-2.45
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.cs.umn.edu/pub/blender.org/source/ \
 		http://download.blender.org/source/
cvs diff -r1.23 -r1.24 pkgsrc/graphics/blender/distinfo (expand / switch to context diff)
--- pkgsrc/graphics/blender/distinfo 2008/01/04 19:56:45 1.23
+++ pkgsrc/graphics/blender/distinfo 2008/05/17 10:33:15 1.24
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2008/01/04 19:56:45 markd Exp $
+$NetBSD: distinfo,v 1.24 2008/05/17 10:33:15 tonnerre Exp $
 
 SHA1 (blender-2.45.tar.gz) = ff66ec5f0129fd04a2ba5c063627ef13033c0598
 RMD160 (blender-2.45.tar.gz) = fd39b59de0f4d770fe26ce39d51356e98b1ec8ea
@@ -6,5 +6,8 @@
 SHA1 (patch-ab) = 7f5b4966bd08333f5d726cf9b6d7c2300e62d711
 SHA1 (patch-ac) = dcfa14519404915a69bd626c8a5a6029d2535ca2
 SHA1 (patch-ad) = cfec8537593071381687df1f37906a6f28eb45cf
+SHA1 (patch-ae) = 45ea375bc405948d4eadc786379f8a8b700c8d91
+SHA1 (patch-af) = ce57bcf10e9291ed156e54b66d154950b0079eb9
+SHA1 (patch-ag) = bd3fae7b10349dd2c1ef45a18346d980530e01a4
 SHA1 (patch-ah) = b45f534b4c5850da13e9b421f73e33c8d079696f
 SHA1 (patch-ai) = 8909e9d698b9370bb756b81c41812a05790da419
File Added: pkgsrc/graphics/blender/patches/Attic/patch-ae
$NetBSD: patch-ae,v 1.7 2008/05/17 10:33:15 tonnerre Exp $

--- source/blender/src/usiblender.c.orig	2007-09-18 04:58:42.000000000 +0000
+++ source/blender/src/usiblender.c
@@ -172,10 +172,12 @@ static void init_userdef_file(void)
 		U.tb_rightmouse= 5;
 	}
 	if(U.mixbufsize==0) U.mixbufsize= 2048;
-	if (BLI_streq(U.tempdir, "/")) {
+	if (BLI_streq(U.tempdir, "/") || BLI_streq(U.tempdir, "/tmp/")) {
 		char *tmp= getenv("TEMP");
+		char *home= getenv("HOME");
 		
-		strcpy(U.tempdir, tmp?tmp:"/tmp/");
+		strcpy(U.tempdir, tmp?tmp:home);
+		if (!tmp) strcat(U.tempdir, "/.blender/");
 	}
 	if (U.savetime <= 0) {
 		U.savetime = 1;
File Added: pkgsrc/graphics/blender/patches/Attic/patch-af
$NetBSD: patch-af,v 1.6 2008/05/17 10:33:15 tonnerre Exp $

--- source/blender/blenkernel/intern/blender.c.orig	2007-09-18 04:58:33.000000000 +0000
+++ source/blender/blenkernel/intern/blender.c
@@ -714,7 +714,7 @@ void BKE_undo_save_quit(void)
 		
 	BLI_make_file_string("/", str, U.tempdir, "quit.blend");
 
-	file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
+	file = open(str,O_BINARY|O_WRONLY|O_CREAT|O_TRUNC|O_EXCL, 0666);
 	if(file == -1) {
 		printf("Unable to save %s\n", str);
 		return;
File Added: pkgsrc/graphics/blender/patches/Attic/patch-ag
$NetBSD: patch-ag,v 1.6 2008/05/17 10:33:15 tonnerre Exp $

--- source/blender/imbuf/intern/radiance_hdr.c.orig	2007-09-18 04:58:45.000000000 +0000
+++ source/blender/imbuf/intern/radiance_hdr.c
@@ -191,7 +191,8 @@ struct ImBuf *imb_loadhdr(unsigned char 
 			}
 		}
 		if (found) {
-			sscanf((char*)&mem[x+1], "%s %d %s %d", (char*)&oriY, &height, (char*)&oriX, &width);
+			if (sscanf((char *)&mem[x+1], "%79s %d %79s %d", (char*)&oriY, &height,
+				(char*)&oriX, &width) != 4) return NULL;
 
 			/* find end of this line, data right behind it */
 			ptr = (unsigned char *)strchr((char*)&mem[x+1], '\n');