Talos security advisory for Blender product #52654
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#52654
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Blender Version
Blender v2.78c
Hello, the Cisco Talos team found security vulnerabilities impacting Blender customers. As this is a sensitive security issue, this entry is to request a PGP key for further communication. If a key is not received or is unavailable, an unencrypted report will be sent via this report in two business days. Please acknowledge receipt so we can confirm we have the correct forum for reporting security issues.
For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html
Please CC vulndev@cisco.com on all correspondence related to this issue.
Developer note: adding CVE's here so we can keep track of whats fixed.
829916f4e5
Changed status to: 'Open'
Added subscriber: @regiwils
Added subscriber: @Ton
Yes this is the right place to post vulnerabilities. If you really think it's better to not publish it, email to to foundation@blender.org. No pgp key exists though.
Added subscriber: @mont29
Changed status from 'Open' to: 'Archived'
More than a week without reply. Due to the policy of the tracker archiving for until required info/data are provided.
Reports were sent to foundation@blender.org on 9/6/17
#52654 identifier assigned in the email thread via Blender
Changed status from 'Archived' to: 'Open'
Thanks, got the mail now. We'll check on it asap.
Thanks. Let me know if you need any additional information. We prefer 1-2 business days notice of public release disclosure so we can coordinate on our end as well. Please let me know any new developments and/or timelines as they are confirmed (even if tentative).
Added subscriber: @ideasman42
Committed fix for one of the CVE's, note that I think we could make the CVE's public. It's no secret that corrupt files can crash Blender in various ways.
Do you have any updates on the other issues reported? To date, it appears only CVE-2017-2901 (TALOS-2017-0408) is fixed although TALOS-2017-0451 is also referenced above.
Changed status from 'Open' to: 'Archived'
Closing this report, use #52924 instead.