[Pkg-blender-maintainers] CVE-2007-1253: Eval injection vulnerability in kmz_ImportWithMesh.py

Cyril Brulebois cyril.brulebois at enst-bretagne.fr
Thu Mar 15 10:22:26 CET 2007 

Florian Ernst <florian_ernst at gmx.net> (15/03/2007):
> Apparently _nothing_ in -6 warrants a freeze exemption, please see
> <http://lists.debian.org/debian-release/2007/03/msg00677.html> for the
> RM's comments.

Yes, I saw that...

BTW, Developers' Reference contains in 5.8.5.3 (Preparing packages to
address security issues): ``The upload should have urgency=high.''

I believe I followed these instructions as close as I could since that
was my first security upload preparation. Anyway, I guess that Steve
knows what he talks about...

> Well, how severe are the issues on 64-bit systems really?

Really, my girlfriend has been using blender on her amd64 for ages and
didn't notice anything wrong with it (2.42 and 2.43), although I guess
she didn't test intensively loading files generated on i386 (you know,
guys "asking" on forums "do no wok!!!" and putting their files online so
that one can help).

The sad thing is that even blender developers seem not to know really,
since they have to audit the code to state about the possible issues.
Although I understand that they prefer stating "don't use it on 64-bit
arch's, it is not safe!" over having eventual bugreports and complaints
about possible issues, not communicating is... well... pff.

Shall we purely drop all 64-bit architectures? If so, that's a
regression (from a Debian PoV) since there used to be binaries for them
(putting the amd64 case apart, not being an official port for sarge),
even though these packages were affected too (that's been confirmed by
blender developers).

Then I guess that the blender package would be dropped from etch... The
almost-ready (copyright, Wouter? ;-)) 2.43 is IMHO really suitable for
experimental/unstable and could be installable as-is from etch for some
time. Then we could think of providing backports of 2.44 to etch once it
is out...

(And I don't really see any alternative...)

I already told you about how I felt disappointed by that issue, but it's
not going any better. /me eager to see 2.44 out and that forgotten...

Cheers,

-- 
Cyril
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070315/63acc0c0/attachment.pgp

More information about the Pkg-blender-maintainers mailing list