blob: 5d5daba25ce42af63146e97e4f583bb66f1090e5 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="201001-07">
<title>Blender: Untrusted search path</title>
An untrusted search path vulnerability in Blender might result in the
execution of arbitrary code.
<product type="ebuild">blender</product>
<announced>January 13, 2010</announced>
<revised>January 13, 2010: 01</revised>
<package name="media-gfx/blender" auto="yes" arch="*">
<unaffected range="ge">2.48a-r3</unaffected>
<vulnerable range="lt">2.48a-r3</vulnerable>
Blender is a 3D Creation/Animation/Publishing System.
Steffen Joeris reported that Blender's BPY_interface calls
PySys_SetArgv() in such a way that Python prepends sys.path with an
empty string.
<impact type="normal">
A local attacker could entice a user to run "blender" from a directory
containing a specially crafted Python module, resulting in the
execution of arbitrary code with the privileges of the user running the
There is no known workaround at this time.
All Blender users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=media-gfx/blender-2.48a-r3&quot;</code>
<uri link="">CVE-2008-4863</uri>
<metadata tag="requester" timestamp="Sun, 30 Nov 2008 19:04:32 +0000">
<metadata tag="submitter" timestamp="Tue, 05 Jan 2010 21:25:09 +0000">
<metadata tag="bugReady" timestamp="Sun, 10 Jan 2010 19:40:27 +0000">