[Secure-testing-team] CVE-2007-1253: blender: eval injection
vulnerability in kmz_ImportWithMesh.py
Florian Ernst
florian_ernst at gmx.net
Wed Mar 14 11:23:59 UTC 2007
Hello folks,
just FYI:
CVE-2007-1253 as e.g. summarised on
<http://idssi.enyo.de/tracker/CVE-2007-1253>
only affects testing/unstable. A fix is in preparation and will be
uploaded as 2.42a-6 to unstable from where it can easily propagate to
testing.
Upstream has decided to deal with this issue by simply dropping the
script in question in 2.43, and the blender package maintainers will
follow suit (2.43 will be also be uploaded to experimental soon, fwiw).
Stable/oldstable are not affected as this script was first introduced in
upstream 2.42, see e.g. upstream's cvs for background:
<http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/Attic/kmz_ImportWithMesh.py?r1=1.13&cvsroot=bf-blender>
HTH,
Flo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/34a7b28d/attachment.pgp
More information about the Secure-testing-team
mailing list