[Pkg-blender-maintainers] CVE-2007-1253: Eval injection
vulnerability in kmz_ImportWithMesh.py
Florian Ernst
florian_ernst at gmx.net
Wed Mar 14 11:11:35 CET 2007
On Wed, Mar 14, 2007 at 10:38:47AM +0100, Cyril Brulebois wrote:
> Florian Ernst <florian_ernst at gmx.net> (14/03/2007):
> > CVE-2007-1253 apparently is addressed in 2.43. However, Etch will ship
> > with 2.42a, so will this issue warrant another update? I.e., is anyone
> > working on this?
>
> At first glance, that will be quite easy. The fix in 2.43 is... the
> removal of the affected script, which should be backportable easily. I'm
Yeah, this quite looks like the way to go. Furthermore, it seems this
script was first introduced in 2.42, so this issue doesn't even affect
stable or oldstable. Thus I'll let the Debian security teams know they
don't need to worry about this.
> going to prepare the needed fix to (I guess) debian/rules or such to
> remove it from the installed files, and get back to developers reference
> since it is the first time I have to deal with a security bug.
No much that needs to be done extra, see above. Removing the file from
the binary package will apparently be sufficient, so this turns out to
be a one-liner. *phew*
> I think that we could also include another change: update the copyright
> file to solve #407917. When it pop'd up (as RC before vorlon downgrades
> it), I asked the RM and that kind of change was said to be OK for
> inclusion (kind of documentation bug, so NP).
Sounds fine. Especially given it has a kind-of-blessing by a RM.
> And maybe, the documentation (NEWS, README) about the 64-bit stuff,
> so that our users are informed of possible incompatibilities with later
> releases (for the 64-bit users)?
Hmm, a documentation update. Normally OK, but as of yesterday's new
release update[0] those aren't explicitely blessed. Well, I'd say
include them nonetheless as they aren't code changes and won't affect
any functionality.
> Of course, I'll keep you posted and ask for review.
І'll be available, so just drop me some note and I will react asap. :)
Cheers,
Flo
[0] <http://lists.debian.org/debian-devel-announce/2007/03/msg00012.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070314/4d66d6d3/attachment.pgp
More information about the Pkg-blender-maintainers
mailing list