Fri Apr 1 11:31:56 2011 UTC ()

Fix CVE-2008-4863 using the Debian patch by James Vega.
Bump PKGREVISION.
Mark MAKE_JOBS_SAFE=no since installation fails with -j16.


(wiz)

diff -r1.74 -r1.75 pkgsrc/graphics/blender/Makefile
diff -r1.29 -r1.30 pkgsrc/graphics/blender/distinfo
diff -r0 -r1.1 pkgsrc/graphics/blender/patches/patch-source_blender_python_BPY__interface.c

--- pkgsrc/graphics/blender/Makefile 2011/04/01 10:59:56 1.74
+++ pkgsrc/graphics/blender/Makefile 2011/04/01 11:31:56 1.75

 @@ -1,32 +1,34 @@
-# $NetBSD: Makefile,v 1.74 2011/04/01 10:59:56 wiz Exp $
+# $NetBSD: Makefile,v 1.75 2011/04/01 11:31:56 wiz Exp $
 DISTNAME=	blender-2.49b
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	graphics
 MASTER_SITES=	http://download.blender.org/source/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.blender.org/
 COMMENT=	Fully integrated 3D graphics creation suite
 LICENSE=	gnu-gpl-v2
 USE_TOOLS+=		gmake
 USE_LANGUAGES=		c c++
 USE_CMAKE=		yes
 CMAKE_ARG_PATH=		..
 CONFIGURE_DIRS=		_build
 PKG_DESTDIR_SUPPORT=	user-destdir
 MAKE_JOBS_SAFE=		no
 LDFLAGS+=		-lcrypto
 .include "options.mk"
 INSTALLATION_DIRS=	bin
 CMAKE_ARGS+=	-DFREETYPE_INC:PATH=${BUILDLINK_PREFIX.freetype2}/include/freetype2
 CMAKE_ARGS+=	-DSDL_INCLUDE_DIR:PATH=${BUILDLINK_PREFIX.SDL}/include/SDL
 CHECK_INTERPRETER_SKIP= share/blender/scripts/*.py share/blender/scripts/*/*.py
 pre-configure:
 	${MKDIR} ${WRKSRC}/_build

--- pkgsrc/graphics/blender/distinfo 2009/11/03 19:06:51 1.29
+++ pkgsrc/graphics/blender/distinfo 2011/04/01 11:31:56 1.30

 @@ -1,14 +1,15 @@
-$NetBSD: distinfo,v 1.29 2009/11/03 19:06:51 markd Exp $
+$NetBSD: distinfo,v 1.30 2011/04/01 11:31:56 wiz Exp $
 SHA1 (blender-2.49b.tar.gz) = 43f71e7de4efe79c518d45f4b5a04e03c28d5fc5
 RMD160 (blender-2.49b.tar.gz) = 5b641de7b41af5e4186c9721b66eddc6870f9fbc
 Size (blender-2.49b.tar.gz) = 22918377 bytes
 SHA1 (patch-ab) = 6779022a78e895154e6e95cecf16e5465ffab637
 SHA1 (patch-ac) = dcfa14519404915a69bd626c8a5a6029d2535ca2
 SHA1 (patch-ad) = ee070c6e61585c5ee657f8aa0cd210c15f73bcc9
 SHA1 (patch-ah) = b45f534b4c5850da13e9b421f73e33c8d079696f
 SHA1 (patch-ai) = 31f94e8dcdabbe043d94a7fd53bfbdaa9d35fc99
 SHA1 (patch-aj) = 59c935bc84101e3a57af5231d6f1153897bbbb03
 SHA1 (patch-ak) = 98c93b7ee12e60aff0d8890cd1cdc7213515d270
 SHA1 (patch-al) = 8589d359484351766bfb99e58debf075bebbfd66
 SHA1 (patch-am) = 6da69ace1e9da706124621f6721fd4d4f804cc6f
 SHA1 (patch-source_blender_python_BPY__interface.c) = 9cc72c2fea93e9bfdf9b2f9cc147be90c044d53d

$NetBSD: patch-source_blender_python_BPY__interface.c,v 1.1 2011/04/01 11:31:56 wiz Exp $

Fix http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4863
using patch from James Vega via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503632

--- source/blender/python/BPY_interface.c.orig	2009-09-01 15:21:12.000000000 +0000
+++ source/blender/python/BPY_interface.c
@@ -236,6 +236,12 @@ void BPY_start_python( int argc, char **
 	Py_Initialize(  );
 	
 	PySys_SetArgv( argc_copy, argv_copy );
+
+	/* Sanitize sys.path to prevent relative imports loading modules in
+	 * the current working directory
+	 */
+	PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+
 	/* Initialize thread support (also acquires lock) */
 	PyEval_InitThreads();