GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Apr 23, 2007 9:26 pm Post subject: [ GLSA 200704-19 ] Blender: User-assisted remote execution o |
|
|
Gentoo Linux Security Advisory
Title: Blender: User-assisted remote execution of arbitrary code (GLSA 200704-19)
Severity: normal
Exploitable: remote
Date: April 23, 2007
Bug(s): #168907
ID: 200704-19
Synopsis
A vulnerability has been discovered in Blender allowing for user-assisted
arbitrary code execution.
Background
Blender is a 3D creation, animation and publishing program.
Affected Packages
Package: media-gfx/blender
Vulnerable: < 2.43
Unaffected: >= 2.43
Architectures: All supported architectures
Description
Stefan Cornelius of Secunia Research discovered an insecure use of the
"eval()" function in kmz_ImportWithMesh.py.
Impact
A remote attacker could entice a user to open a specially crafted
Blender file (.kmz or .kml), resulting in the execution of arbitrary
Python code with the privileges of the user running Blender.
Workaround
There is no known workaround at this time.
Resolution
All Blender users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/blender-2.43" |
References
CVE-2007-1253
Last edited by GLSA on Wed Jul 09, 2014 4:23 am; edited 2 times in total |
|