ID CVE-2017-2902 Type cve Reporter cve@mitre.org Modified 2019-03-19T13:25:00
Description
An exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted '.cin' file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.
{"id": "CVE-2017-2902", "bulletinFamily": "NVD", "title": "CVE-2017-2902", "description": "An exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted '.cin' file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.", "published": "2018-04-24T19:29:00", "modified": "2019-03-19T13:25:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2902", "reporter": "cve@mitre.org", "references": ["https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html", "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409", "https://www.debian.org/security/2018/dsa-4248"], "cvelist": ["CVE-2017-2902"], "type": "cve", "lastseen": "2019-05-29T18:16:59", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "2bd4b0f4eec3049109ec8be04a2d91b3"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "3abb8d19905a6b6d7491ef3149ae164a"}, {"key": "cpe23", "hash": "3720cef8ea185a0b035154c1a63ace99"}, {"key": "cvelist", "hash": "d41556cd9dc4eb6a9bfb310e4ab04eae"}, {"key": "cvss", "hash": "4cac367be6dd8242802053610be9dee6"}, {"key": "cvss2", "hash": "f0cab2ed51281c3cddb6cdf3ee00cdac"}, {"key": "cvss3", "hash": "26f338b95fa1d6f598ba1e3d1ba2ee53"}, {"key": "cwe", "hash": "2ae76161d39c17aef8ca38b9bfc8fde3"}, {"key": "description", "hash": "c214752940645ce84e71918a8aa68929"}, {"key": "href", "hash": "6d3a42e4e3f7dbd34bd71bcb857ab9af"}, {"key": "modified", "hash": "f683344c1e7f3f108db0867ccd75949f"}, {"key": "published", "hash": "e7a0dae790a8750acce56f7095158ca1"}, {"key": "references", "hash": "64b87fe60b3a64a6522eaec8735024aa"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "3d5a1dfd8ff78403541775884439f7b5"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "64fc14af8a38311fe33094a8f97e63f345898c591ca1648e89078f0cb07437b8", "viewCount": 0, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2019-05-29T18:16:59"}, "dependencies": {"references": [{"type": "talos", "idList": ["TALOS-2017-0409"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891465", "OPENVAS:1361412562310704248"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4248.NASL", "DEBIAN_DLA-1465.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1465-1:9B5F3", "DEBIAN:DSA-4248-1:5CA0C"]}], "modified": "2019-05-29T18:16:59"}, "vulnersScore": 7.1}, "objectVersion": "1.3", "cpe": ["cpe:/a:blender:blender:2.78c", "cpe:/a:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:9.0"], "affectedSoftware": [{"name": "blender blender", "operator": "eq", "version": "2.78c"}, {"name": "debian debian_linux", "operator": "eq", "version": "8.0"}, {"name": "debian debian_linux", "operator": "eq", "version": "9.0"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:blender:blender:2.78c:*:*:*:*:*:*:*"], "cwe": ["CWE-190"]}
{"talos": [{"lastseen": "2019-05-29T19:19:54", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0409\n\n## Blender Sequencer dpxOpen Buffer Overflow Code Execution Vulnerability\n\n##### January 11, 2018\n\n##### CVE Number\n\nCVE-2017-2902 \n\n### Summary\n\nAn exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted `.cin` file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.\n\n### Tested Versions\n\nBlender v2.78c\n\n### Product URLs\n\n[http://www.blender.org](<https://www.blender.org>) git://git.blender.org/blender.git\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')\n\n### Details\n\nBlender is a professional, open-source 3d computer graphics application. It is used for creating animated films, visual effects, art, 3d printed applications, and video games. It is also capable of doing minimalistic video editing and sequencing as needed by the user. There are various features that it provides which allow for a user to perform a multitude of actions as required by a particular project.\n\nThis vulnerability exists with how the Blender application loads a DPX file as a resource for the video sequencer. When allocating space for the image data within a `.cin` file, the application will perform some arithmetic which can overflow. This result will then be used to perform an allocation which can allow for an undersized buffer. Later when the application attempts to render the image data into this buffer, a heap-based buffer overflow will occur.\n\nWhen loading an image file, the function `IMB_loadiffname` in the `source/blender/imbuf/intern/readimage.c` file will be called. Inside this function, the application will first open the file and then call the `IMB_loadifffile` function [2].\n \n \n source/blender/imbuf/intern/readimage.c:212\n ImBuf *IMB_loadiffname(const char *filepath, int flags, char colorspace[IM_MAX_SPACE])\n {\n ...\n file = BLI_open(filepath_tx, O_BINARY | O_RDONLY, 0); // [1]\n if (file == -1)\n return NULL;\n \n ibuf = IMB_loadifffile(file, filepath, flags, colorspace, filepath_tx); // [2]\n \n\nInside the `IMB_loadifffile` function, the application will first map the whole file into memory using the `mmap` system-call [3]. After the file is successfully mapped into memory, the resulting pages will be passed to the `IMB_ibImageFromMemory` function [4]. This function is responsible for figuring out which file-format handlers to use, and then to call its respective loader.\n \n \n source/blender/imbuf/intern/readimage.c:165\n ImBuf *IMB_loadifffile(int file, const char *filepath, int flags, char colorspace[IM_MAX_SPACE], const char *descr)\n {\n ...\n imb_mmap_lock();\n mem = mmap(NULL, size, PROT_READ, MAP_SHARED, file, 0); // [3]\n imb_mmap_unlock();\n \n if (mem == (unsigned char *) -1) {\n fprintf(stderr, \"%s: couldn't get mapping %s\\n\", __func__, descr);\n return NULL;\n }\n \n ibuf = IMB_ibImageFromMemory(mem, size, flags, colorspace, descr); // [4]\n \n\nInside the following function, the application will iterate through a global list that contains different handlers for all of the image files that the application supports. At [5], the application will call the function responsible for loading the image out of memory.\n \n \n source/blender/imbuf/intern/readimage.c:104\n ImBuf *IMB_ibImageFromMemory(unsigned char *mem, size_t size, int flags, char colorspace[IM_MAX_SPACE], const char *descr)\n {\n ...\n for (type = IMB_FILE_TYPES; type < IMB_FILE_TYPES_LAST; type++) {\n if (type->load) {\n ibuf = type->load(mem, size, flags, effective_colorspace); // [5]\n if (ibuf) {\n imb_handle_alpha(ibuf, flags, colorspace, effective_colorspace);\n return ibuf;\n }\n }\n }\n \n\nAfter determining that the file is of a DPX or CINEON file, the function at [6] will be called. This will execute the `logImageOpenFromMemory` function which will check the header of the file in order to determine whether to call `logImageIsDpx` or `logImageIsCineon` functions. If a DPX image file was detected, then the `dpxOpen` function will be called at [7]\n \n \n source/blender/imbuf/intern/cineon/cineon_dpx.c:52\n static struct ImBuf *imb_load_dpx_cineon(\n const unsigned char *mem, size_t size, int use_cineon, int flags,\n char colorspace[IM_MAX_SPACE])\n {\n ...\n image = logImageOpenFromMemory(mem, size); // [6] \\\n \\\n source/blender/imbuf/intern/cineon/logImageCore.c:118\n LogImageFile *logImageOpenFromMemory(const unsigned char *buffer, unsigned int size)\n {\n if (logImageIsDpx(buffer))\n return dpxOpen(buffer, 1, size); // [7]\n else if (logImageIsCineon(buffer))\n return cineonOpen(buffer, 1, size);\n \n return NULL;\n }\n \n\nOnce inside the `dpxOpen` function, the application will read the `header` from the file into a `DpxMainHeader` structure [8]. This structure is composed of 5 different headers that are constantly sized. At [9], the `imageHeader` field is declared as the `DpxImageHeader` structure. This structure contains a constant-sized array in the `element` field [10]. This structure only allocates up to 8 elements for the `DpxElementHeader` structure.\n \n \n source/blender/imbuf/intern/cineon/dpxlib.c:133\n LogImageFile *dpxOpen(const unsigned char *byteStuff, int fromMemory, size_t bufferSize)\n {\n DpxMainHeader header;\n LogImageFile *dpx = (LogImageFile *)MEM_mallocN(sizeof(LogImageFile), __func__);\n const char *filename = (const char *)byteStuff;\n int i;\n \n if (dpx == NULL) {\n if (verbose) printf(\"DPX: Failed to malloc dpx file structure.\\n\");\n return NULL;\n }\n ...\n if (logimage_fread(&header, sizeof(header), 1, dpx) == 0) { // [8]\n if (verbose) printf(\"DPX: Not enough data for header in \\\"%s\\\".\\n\", byteStuff);\n logImageClose(dpx);\n return NULL;\n }\n \n source/blender/imbuf/intern/cineon/dpxlib.h:144\n typedef struct {\n DpxFileHeader fileHeader;\n DpxImageHeader imageHeader; // [9]\n DpxOrientationHeader orientationHeader;\n DpxFilmHeader filmHeader;\n DpxTelevisionHeader televisionHeader;\n } DpxMainHeader;\n \n source/blender/imbuf/intern/cineon/dpxlib.h:80\n typedef struct {\n unsigned short orientation;\n unsigned short elements_per_image;\n unsigned int pixels_per_line;\n unsigned int lines_per_element;\n DpxElementHeader element[8]; // [10]\n char reserved[52];\n } DpxImageHeader;\n \n source/blender/imbuf/intern/cineon/dpxlib.h:63\n typedef struct {\n ...\n } DpxElementHeader;\n \n\nAfter the application finishes reading the header, it will begin to check its magic at [11], and collect the image dimensions at [13]. At [12], however, the application will read a 16-bit unsigned integer from the header and use it to determine the number of elements to read from the header. Due to a lack of bounds checking, this value can be used to write outside the bounds of the `elements` field. If this value is larger than 8, then a buffer overflow can be made to occur.\n \n \n source/blender/imbuf/intern/cineon/dpxlib.c:176\n if (header.fileHeader.magic_num == swap_uint(DPX_FILE_MAGIC, 1)) { // [11]\n dpx->isMSB = 1;\n if (verbose) printf(\"DPX: File is MSB.\\n\");\n }\n else if (header.fileHeader.magic_num == DPX_FILE_MAGIC) {\n dpx->isMSB = 0;\n if (verbose) printf(\"DPX: File is LSB.\\n\");\n }\n ...\n dpx->srcFormat = format_DPX;\n dpx->numElements = swap_ushort(header.imageHeader.elements_per_image, dpx->isMSB); // [12]\n if (dpx->numElements == 0) {\n if (verbose) printf(\"DPX: Wrong number of elements: %d\\n\", dpx->numElements);\n logImageClose(dpx);\n return NULL;\n }\n \n dpx->width = swap_uint(header.imageHeader.pixels_per_line, dpx->isMSB); // [13]\n dpx->height = swap_uint(header.imageHeader.lines_per_element, dpx->isMSB);\n \n\nAfter storing the number of elements and the dimensions of the image, the following loop will be entered to extract information from the `imageHeader.element` field. Due to a missing bounds check on the `dpx->numElements` field, this loop can write outside the bounds of the `dpx->element` array [14].\n \n \n source/blender/imbuf/intern/cineon/dpxlib.c:213\n for (i = 0; i < dpx->numElements; i++) {\n dpx->element[i].descriptor = header.imageHeader.element[i].descriptor; // [14]\n \n switch (dpx->element[i].descriptor) {\n ...\n }\n \n if (dpx->depth == 0 || dpx->depth > 4) {\n ...\n }\n \n dpx->element[i].bitsPerSample = header.imageHeader.element[i].bits_per_sample;\n if (dpx->element[i].bitsPerSample != 1 && dpx->element[i].bitsPerSample != 8 &&\n dpx->element[i].bitsPerSample != 10 && dpx->element[i].bitsPerSample != 12 &&\n dpx->element[i].bitsPerSample != 16)\n {\n ...\n }\n \n ...\n if (dpx->element[i].dataOffset == 0) {\n ...\n }\n \n dpx->element[i].transfer = header.imageHeader.element[i].transfer;\n \n ...\n }\n \n\n### Crash Information\n \n \n (25fc.27e0): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=00000000 ebx=00cbeed7 ecx=00020000 edx=00003f80 esi=14cb4e6c edi=14cb4fdc\n eip=016f2cb5 esp=00cbe950 ebp=00cbf178 iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202\n blender!osl_texture_set_swrap_code+0x47a25:\n 016f2cb5 f30f114728 movss dword ptr [edi+28h],xmm0 ds:002b:14cb5004=????????\n \n 0:000> !heap -p -a @edi\n address 14cb4fdc found in\n _DPH_HEAP_ROOT @ 6f01000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 14222000: 14cb4e68 198 - \n \n\n### Exploit Proof-of-Concept\n\nIncluded with this advisory is a generator for the vulnerability. This proof-of-concept requires python and takes a single-argument which is the filename to write the `.cin` file to.\n \n \n $ python poc.py $FILENAME.cin\n \n\nTo trigger the vulnerability, one can simply add it as an asset or they can pass it as an argument to the blender executable.\n \n \n $ /path/to/blender.exe -a $FILENAME.cin\n \n\n### Mitigation\n\nIn order to mitigate this vulnerability, it is recommended to not use untrusted image files as an asset when using the sequencer.\n\n### Timeline\n\n2017-09-06 - Vendor Disclosure \n2018-01-11 - Public Release\n\n##### Credit\n\nDiscovered by a member of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0410\n\nPrevious Report\n\nTALOS-2017-0408\n", "modified": "2018-01-11T00:00:00", "published": "2018-01-11T00:00:00", "id": "TALOS-2017-0409", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409", "title": "Blender Sequencer dpxOpen Buffer Overflow Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:33:28", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "modified": "2019-03-18T00:00:00", "published": "2018-08-14T00:00:00", "id": "OPENVAS:1361412562310891465", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891465", "title": "Debian LTS Advisory ([SECURITY] [DLA 1465-1] blender security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1465.nasl 14270 2019-03-18 14:24:29Z cfischer $\n#\n# Auto-generated from advisory DLA 1465-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891465\");\n script_version(\"$Revision: 14270 $\");\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\",\n \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\",\n \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\",\n \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\",\n \"CVE-2017-2918\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1465-1] blender security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:24:29 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-14 00:00:00 +0200 (Tue, 14 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"blender on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"blender\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"blender-data\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"blender-dbg\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:56:38", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "modified": "2019-07-04T00:00:00", "published": "2018-07-17T00:00:00", "id": "OPENVAS:1361412562310704248", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704248", "title": "Debian Security Advisory DSA 4248-1 (blender - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4248-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704248\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\",\n \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\",\n \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\",\n \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\",\n \"CVE-2017-2918\");\n script_name(\"Debian Security Advisory DSA 4248-1 (blender - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-17 00:00:00 +0200 (Tue, 17 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4248.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"blender on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.79.b+dfsg0-1~deb9u1.\n\nWe recommend that you upgrade your blender packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/blender\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"blender\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-data\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-dbg\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:21:30", "bulletinFamily": "unix", "description": "Package : blender\nVersion : 2.72.b+dfsg0-3+deb8u1\nCVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902\n CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906\n CVE-2017-2907 CVE-2017-2908 CVE-2017-2918\n CVE-2017-12081 CVE-2017-12082 CVE-2017-12086\n CVE-2017-12099 CVE-2017-12100 CVE-2017-12101\n CVE-2017-12102 CVE-2017-12103 CVE-2017-12104\n CVE-2017-12105\n\nMultiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2018-08-13T11:09:14", "published": "2018-08-13T11:09:14", "id": "DEBIAN:DLA-1465-1:9B5F3", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201808/msg00011.html", "title": "[SECURITY] [DLA 1465-1] blender security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:31", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4248-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 17, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : blender\nCVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 \n CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 \n CVE-2017-2907 CVE-2017-2908 CVE-2017-2918 CVE-2017-12081 \n CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 \n CVE-2017-12101 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104 \n CVE-2017-12105\n\nMultiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\t\t\t\t\t\t\t \nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.79.b+dfsg0-1~deb9u1.\n\nWe recommend that you upgrade your blender packages.\n\nFor the detailed security status of blender please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/blender\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-07-17T20:37:12", "published": "2018-07-17T20:37:12", "id": "DEBIAN:DSA-4248-1:5CA0C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00177.html", "title": "[SECURITY] [DSA 4248-1] blender security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T06:47:51", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 ", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DLA-1465.NASL", "href": "https://www.tenable.com/plugins/nessus/111705", "published": "2018-08-15T00:00:00", "title": "Debian DLA-1465-1 : blender security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1465-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111705);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/07/15 14:20:30\");\n\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\", \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\", \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\", \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\", \"CVE-2017-2918\");\n\n script_name(english:\"Debian DLA-1465-1 : blender security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/blender\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected blender, blender-data, and blender-dbg packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"blender\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"blender-data\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"blender-dbg\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:54:33", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "modified": "2019-12-02T00:00:00", "id": "DEBIAN_DSA-4248.NASL", "href": "https://www.tenable.com/plugins/nessus/111140", "published": "2018-07-18T00:00:00", "title": "Debian DSA-4248-1 : blender - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4248. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111140);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/07/15 14:20:30\");\n\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\", \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\", \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\", \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\", \"CVE-2017-2918\");\n script_xref(name:\"DSA\", value:\"4248\");\n\n script_name(english:\"Debian DSA-4248-1 : blender - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/blender\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/blender\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4248\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the blender packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.79.b+dfsg0-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"blender\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"blender-data\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"blender-dbg\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}