Talos security advisory for Blender product #52654

Closed
opened 2017-09-05 21:17:35 +02:00 by Talos Security Advisory · 16 comments

Blender Version
Blender v2.78c

Hello, the Cisco Talos team found security vulnerabilities impacting Blender customers. As this is a sensitive security issue, this entry is to request a PGP key for further communication. If a key is not received or is unavailable, an unencrypted report will be sent via this report in two business days. Please acknowledge receipt so we can confirm we have the correct forum for reporting security issues.

For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html

Please CC vulndev@cisco.com on all correspondence related to this issue.


Developer note: adding CVE's here so we can keep track of whats fixed.

  • Fixed CVE-2017-2901: Blender Sequencer imb_loadiris Integer Overflow Code Execution Vulnerability 829916f4e5
This could crash reading corrupt images when generating thumbnails.
**Blender Version** Blender v2.78c Hello, the Cisco Talos team found security vulnerabilities impacting Blender customers. As this is a sensitive security issue, this entry is to request a PGP key for further communication. If a key is not received or is unavailable, an unencrypted report will be sent via this report in two business days. Please acknowledge receipt so we can confirm we have the correct forum for reporting security issues. For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html Please CC vulndev@cisco.com on all correspondence related to this issue. ---- Developer note: adding CVE's here so we can keep track of whats fixed. * Fixed CVE-2017-2901: Blender Sequencer imb_loadiris Integer Overflow Code Execution Vulnerability 829916f4e5 ``` This could crash reading corrupt images when generating thumbnails.

Changed status to: 'Open'

Changed status to: 'Open'

Added subscriber: @regiwils

Added subscriber: @regiwils
Member

Added subscriber: @Ton

Added subscriber: @Ton
Member

Yes this is the right place to post vulnerabilities. If you really think it's better to not publish it, email to to foundation@blender.org. No pgp key exists though.

Yes this is the right place to post vulnerabilities. If you really think it's better to not publish it, email to to foundation@blender.org. No pgp key exists though.

Added subscriber: @mont29

Added subscriber: @mont29

Changed status from 'Open' to: 'Archived'

Changed status from 'Open' to: 'Archived'
Bastien Montagne self-assigned this 2017-09-14 16:43:55 +02:00

More than a week without reply. Due to the policy of the tracker archiving for until required info/data are provided.

More than a week without reply. Due to the policy of the tracker archiving for until required info/data are provided.

Reports were sent to foundation@blender.org on 9/6/17
#52654 identifier assigned in the email thread via Blender

Reports were sent to foundation@blender.org on 9/6/17 #52654 identifier assigned in the email thread via Blender

Changed status from 'Archived' to: 'Open'

Changed status from 'Archived' to: 'Open'

Thanks, got the mail now. We'll check on it asap.

Thanks, got the mail now. We'll check on it asap.

Thanks. Let me know if you need any additional information. We prefer 1-2 business days notice of public release disclosure so we can coordinate on our end as well. Please let me know any new developments and/or timelines as they are confirmed (even if tentative).

Thanks. Let me know if you need any additional information. We prefer 1-2 business days notice of public release disclosure so we can coordinate on our end as well. Please let me know any new developments and/or timelines as they are confirmed (even if tentative).

Added subscriber: @ideasman42

Added subscriber: @ideasman42

Committed fix for one of the CVE's, note that I think we could make the CVE's public. It's no secret that corrupt files can crash Blender in various ways.

Committed fix for one of the CVE's, note that I think we could make the CVE's public. It's no secret that corrupt files can crash Blender in various ways.

Do you have any updates on the other issues reported? To date, it appears only CVE-2017-2901 (TALOS-2017-0408) is fixed although TALOS-2017-0451 is also referenced above.

Do you have any updates on the other issues reported? To date, it appears only CVE-2017-2901 (TALOS-2017-0408) is fixed although TALOS-2017-0451 is also referenced above.

Changed status from 'Open' to: 'Archived'

Changed status from 'Open' to: 'Archived'

Closing this report, use #52924 instead.

Closing this report, use #52924 instead.
Sign in to join this conversation.
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#52654
No description provided.