An exploitable integer overflow exists in the thumbnail functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted .blend file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to render the thumbnail for the file while in the File->Open dialog.
Blender is a professional, open-source 3d computer graphics application. It is used for creating animated films, visual effects, art, 3d printed applications, and video games. It is also capable of doing minimalistic video editing and sequencing as needed by the user. There are various features that it provides which allow for a user to perform a multitude of actions as required by a particular project.
This vulnerability exists with how the Blender application loads the thumbnail for a .blend file when browsing directory contents. When allocating space for the thumbnail image within a .blend file, the application will perform some arithmetic which can overflow. This result will then be used to perform an allocation which can allow for an undersized buffer. Later when the application attempts to copy the thumbnail data into this buffer, a heap-based buffer overflow will occur.
When loading a thumbnail from a .blend file, the BLO_thumbnail_from_file is called. Near the beginning of this function, the application will call the blo_openblenderfile_minimal function to read the header from the file [1]. The header from the file contains a magic value which determines the pointer-size and byte order used within the file. Immediately afterwards at [2], the application will call the read_file_thumbnail function. This function will search for the block-header matching the value “TEST” [3]. After this is determined, the application will validate the length of the block. During this process, the application will read two signed 32-bit numbers. Afterwards, the application will validate that the block’s length is smaller than the result of the BLEN_THUMB_MEMSIZE_FILE macro [4]. This macro will multiply the two numbers together, add the constant 2, and then multiply them by the size of an int. Due to the application failing to check that the product of these values can result in more than 32-bits, this test can overflow thus bypassing the validation.
Once validating the thumbnail header and then returning a pointer to the thumbnail data, the application will resume execution of the BLO_thumbnail_from_file function. Using the data returned from read_file_thumbnail, the application will then pass both of the signed 32-bit numbers to the BLEN_THUMB_MEMSIZE macro [5]. This macro will multiply the two numbers together along with the size of an int. Afterwards, the size of a BlendThumbnail structure will be added to the result. Due to the application not checking that this result may be larger than 32-bits, an integer overflow may occur. Once this overflown size is calculated, an allocation will be made which may be undersized due to this vulnerability. The overflow is then triggered by the assignments to data->width, data->height, or the memcpy operation that happens at [6].
(20.2d90): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3295affc ebx=336b2ff8 ecx=0b6a51a1 edx=010186b0 esi=00000000 edi=32b4ab3c
eip=0081c8be esp=2e56ca98 ebp=2e56cab0 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
blender!PyInit_mathutils_noise_types+0x12de3e:
0081c8be 894804 mov dword ptr [eax+4],ecx ds:002b:3295b000=????????
0:016> !heap -p -a @eax
address 3295affc found in
_DPH_HEAP_ROOT @ 8811000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
32990ed4: 3295aff8 4 - 3295a000 2000
Exploit Proof-of-Concept
Included with this advisory is a generator for the vulnerability. This proof-of-concept requires python and takes a single-argument which is the filename to write the .blend file to.
$ python poc.py $FILENAME.blend
To trigger the vulnerability, one can simply browse to the same directory as the file via the File->Open dialog and then view thumbnails by enabling it on the toolbar.
Mitigation
In order to mitigate this vulnerability, it is recommended to not use thumbnails when browsing a directory of projects.
Timeline
2017-09-06 - Vendor Disclosure
2018-01-11 - Public Release
Credit
Discovered by a member of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2017-0425
Previous Report
TALOS-2017-0414
{"id": "TALOS-2017-0415", "bulletinFamily": "info", "title": "Blender Directory Browsing Thumbnail Viewer Integer Overflow Code Execution Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0415\n\n## Blender Directory Browsing Thumbnail Viewer Integer Overflow Code Execution Vulnerability\n\n##### January 11, 2018\n\n##### CVE Number\n\nCVE-2017-2908 \n\n### Summary\n\nAn exploitable integer overflow exists in the thumbnail functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted .blend file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to render the thumbnail for the file while in the File->Open dialog.\n\n### Tested Versions\n\nBlender v2.78c\n\n### Product URLs\n\n[http://www.blender.org](<https://www.blender.org>) <git://git.blender.org/blender.git>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-190 - Integer Overflow or Wraparound\n\n### Details\n\nBlender is a professional, open-source 3d computer graphics application. It is used for creating animated films, visual effects, art, 3d printed applications, and video games. It is also capable of doing minimalistic video editing and sequencing as needed by the user. There are various features that it provides which allow for a user to perform a multitude of actions as required by a particular project.\n\nThis vulnerability exists with how the Blender application loads the thumbnail for a .blend file when browsing directory contents. When allocating space for the thumbnail image within a .blend file, the application will perform some arithmetic which can overflow. This result will then be used to perform an allocation which can allow for an undersized buffer. Later when the application attempts to copy the thumbnail data into this buffer, a heap-based buffer overflow will occur.\n\nWhen loading a thumbnail from a .blend file, the `BLO_thumbnail_from_file` is called. Near the beginning of this function, the application will call the `blo_openblenderfile_minimal` function to read the header from the file [1]. The header from the file contains a magic value which determines the pointer-size and byte order used within the file. Immediately afterwards at [2], the application will call the `read_file_thumbnail` function. This function will search for the block-header matching the value \u201cTEST\u201d [3]. After this is determined, the application will validate the length of the block. During this process, the application will read two signed 32-bit numbers. Afterwards, the application will validate that the block\u2019s length is smaller than the result of the `BLEN_THUMB_MEMSIZE_FILE` macro [4]. This macro will multiply the two numbers together, add the constant `2`, and then multiply them by the size of an int. Due to the application failing to check that the product of these values can result in more than 32-bits, this test can overflow thus bypassing the validation.\n \n \n source/blender/blenloader/intern/readfile.c:1401\n BlendThumbnail *BLO_thumbnail_from_file(const char *filepath)\n \n FileData *fd;\n BlendThumbnail *data;\n int *fd_data;\n \n fd = blo_openblenderfile_minimal(filepath); // [1]\n fd_data = fd ? read_file_thumbnail(fd) : NULL; // [2] \\\n \n if (fd_data) {\n const size_t sz = BLEN_THUMB_MEMSIZE(fd_data[0], fd_data[1]);\n data = MEM_mallocN(sz, __func__);\n \n BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(fd_data[0], fd_data[1]) - (sizeof(*fd_data) * 2)));\n data->width = fd_data[0];\n data->height = fd_data[1];\n memcpy(data->rect, &fd_data[2], sz - sizeof(*data));\n \n \\\n source/blender/blenloader/intern/readfile.c:946\n static int *read_file_thumbnail(FileData *fd)\n \n BHead *bhead;\n int *blend_thumb = NULL;\n \n for (bhead = blo_firstbhead(fd); bhead; bhead = blo_nextbhead(fd, bhead)) {\n if (bhead->code == TEST) { // [3]\n const bool do_endian_swap = (fd->flags & FD_FLAGS_SWITCH_ENDIAN) != 0;\n int *data = (int *)(bhead + 1);\n \n if (bhead->len < (2 * sizeof(int))) {\n break;\n \n \n if (do_endian_swap) {\n BLI_endian_switch_int32(&data[0]);\n BLI_endian_switch_int32(&data[1]);\n \n \n if (bhead->len < BLEN_THUMB_MEMSIZE_FILE(data[0], data[1])) { // [4] \\\n break;\n \n \n blend_thumb = data;\n break;\n \n ...\n return blend_thumb;\n \n source/blender/blenloader/BLO_blend_defs.h:78\n #define BLEN_THUMB_MEMSIZE_FILE(_x, _y) (sizeof(int) * (size_t)(2 + (_x) * (_y)))\n \n\nOnce validating the thumbnail header and then returning a pointer to the thumbnail data, the application will resume execution of the `BLO_thumbnail_from_file` function. Using the data returned from `read_file_thumbnail`, the application will then pass both of the signed 32-bit numbers to the `BLEN_THUMB_MEMSIZE` macro [5]. This macro will multiply the two numbers together along with the size of an int. Afterwards, the size of a `BlendThumbnail` structure will be added to the result. Due to the application not checking that this result may be larger than 32-bits, an integer overflow may occur. Once this overflown size is calculated, an allocation will be made which may be undersized due to this vulnerability. The overflow is then triggered by the assignments to `data->width`, `data->height`, or the `memcpy` operation that happens at [6].\n \n \n source/blender/blenloader/intern/readfile.c:1401\n BlendThumbnail *BLO_thumbnail_from_file(const char *filepath)\n \n FileData *fd;\n BlendThumbnail *data;\n int *fd_data;\n \n fd = blo_openblenderfile_minimal(filepath);\n fd_data = fd ? read_file_thumbnail(fd) : NULL;\n \n if (fd_data) {\n const size_t sz = BLEN_THUMB_MEMSIZE(fd_data[0], fd_data[1]); // [5] \\\n data = MEM_mallocN(sz, __func__);\n \n BLI_assert((sz - sizeof(*data)) == (BLEN_THUMB_MEMSIZE_FILE(fd_data[0], fd_data[1]) - (sizeof(*fd_data) * 2)));\n data->width = fd_data[0];\n data->height = fd_data[1];\n memcpy(data->rect, &fd_data[2], sz - sizeof(*data)); // [6]\n \n \\\n source/blender/blenkernel/BKE_main.h:125\n #define BLEN_THUMB_MEMSIZE(_x, _y) (sizeof(BlendThumbnail) + (size_t)((_x) * (_y)) * sizeof(int))\n \n\n### Crash Information\n \n \n (20.2d90): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=3295affc ebx=336b2ff8 ecx=0b6a51a1 edx=010186b0 esi=00000000 edi=32b4ab3c\n eip=0081c8be esp=2e56ca98 ebp=2e56cab0 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\n blender!PyInit_mathutils_noise_types+0x12de3e:\n 0081c8be 894804 mov dword ptr [eax+4],ecx ds:002b:3295b000=????????\n 0:016> !heap -p -a @eax\n address 3295affc found in\n _DPH_HEAP_ROOT @ 8811000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 32990ed4: 3295aff8 4 - 3295a000 2000\n \n\n### Exploit Proof-of-Concept\n\nIncluded with this advisory is a generator for the vulnerability. This proof-of-concept requires python and takes a single-argument which is the filename to write the .blend file to.\n \n \n $ python poc.py $FILENAME.blend\n \n\nTo trigger the vulnerability, one can simply browse to the same directory as the file via the File->Open dialog and then view thumbnails by enabling it on the toolbar.\n\n### Mitigation\n\nIn order to mitigate this vulnerability, it is recommended to not use thumbnails when browsing a directory of projects.\n\n### Timeline\n\n2017-09-06 - Vendor Disclosure \n2018-01-11 - Public Release\n\n##### Credit\n\nDiscovered by a member of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0425\n\nPrevious Report\n\nTALOS-2017-0414\n", "published": "2018-01-11T00:00:00", "modified": "2018-01-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0415", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2017-2908"], "type": "talos", "lastseen": "2020-07-01T21:25:20", "edition": 7, "viewCount": 22, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-2908"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704248", "OPENVAS:1361412562310891465"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4248-1:5CA0C", "DEBIAN:DLA-1465-1:9B5F3"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4248.NASL", "DEBIAN_DLA-1465.NASL"]}], "modified": "2020-07-01T21:25:20", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-07-01T21:25:20", "rev": 2}, "vulnersScore": 5.9}, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T13:07:42", "description": "An exploitable integer overflow exists in the thumbnail functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted .blend file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to render the thumbnail for the file while in the File->Open dialog.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-2908", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2908"], "modified": "2019-03-27T14:41:00", "cpe": ["cpe:/a:blender:blender:2.78c", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2908", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2908", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:blender:blender:2.78c:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2020-08-12T00:56:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4248-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 17, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : blender\nCVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 \n CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 \n CVE-2017-2907 CVE-2017-2908 CVE-2017-2918 CVE-2017-12081 \n CVE-2017-12082 CVE-2017-12086 CVE-2017-12099 CVE-2017-12100 \n CVE-2017-12101 CVE-2017-12102 CVE-2017-12103 CVE-2017-12104 \n CVE-2017-12105\n\nMultiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\t\t\t\t\t\t\t \nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.79.b+dfsg0-1~deb9u1.\n\nWe recommend that you upgrade your blender packages.\n\nFor the detailed security status of blender please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/blender\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2018-07-17T20:37:12", "published": "2018-07-17T20:37:12", "id": "DEBIAN:DSA-4248-1:5CA0C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00177.html", "title": "[SECURITY] [DSA 4248-1] blender security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:09:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "description": "Package : blender\nVersion : 2.72.b+dfsg0-3+deb8u1\nCVE ID : CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902\n CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906\n CVE-2017-2907 CVE-2017-2908 CVE-2017-2918\n CVE-2017-12081 CVE-2017-12082 CVE-2017-12086\n CVE-2017-12099 CVE-2017-12100 CVE-2017-12101\n CVE-2017-12102 CVE-2017-12103 CVE-2017-12104\n CVE-2017-12105\n\nMultiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 12, "modified": "2018-08-13T11:09:14", "published": "2018-08-13T11:09:14", "id": "DEBIAN:DLA-1465-1:9B5F3", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201808/msg00011.html", "title": "[SECURITY] [DLA 1465-1] blender security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-07-04T18:56:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "modified": "2019-07-04T00:00:00", "published": "2018-07-17T00:00:00", "id": "OPENVAS:1361412562310704248", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704248", "type": "openvas", "title": "Debian Security Advisory DSA 4248-1 (blender - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4248-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704248\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\",\n \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\",\n \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\",\n \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\",\n \"CVE-2017-2918\");\n script_name(\"Debian Security Advisory DSA 4248-1 (blender - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-07-17 00:00:00 +0200 (Tue, 17 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4248.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"blender on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.79.b+dfsg0-1~deb9u1.\n\nWe recommend that you upgrade your blender packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/blender\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"blender\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-data\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-dbg\", ver:\"2.79.b+dfsg0-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:06:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "modified": "2020-01-29T00:00:00", "published": "2018-08-14T00:00:00", "id": "OPENVAS:1361412562310891465", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891465", "type": "openvas", "title": "Debian LTS: Security Advisory for blender (DLA-1465-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891465\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\",\n \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\",\n \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\",\n \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\",\n \"CVE-2017-2918\");\n script_name(\"Debian LTS: Security Advisory for blender (DLA-1465-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-14 00:00:00 +0200 (Tue, 14 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"blender on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\");\n\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"blender\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-data\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"blender-dbg\", ver:\"2.72.b+dfsg0-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:39:43", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-15T00:00:00", "title": "Debian DLA-1465-1 : blender security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "modified": "2018-08-15T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:blender", "p-cpe:/a:debian:debian_linux:blender-dbg", "p-cpe:/a:debian:debian_linux:blender-data"], "id": "DEBIAN_DLA-1465.NASL", "href": "https://www.tenable.com/plugins/nessus/111705", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1465-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111705);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\", \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\", \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\", \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\", \"CVE-2017-2918\");\n\n script_name(english:\"Debian DLA-1465-1 : blender security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.72.b+dfsg0-3+deb8u1.\n\nWe recommend that you upgrade your blender packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/08/msg00011.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/blender\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected blender, blender-data, and blender-dbg packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"blender\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"blender-data\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"blender-dbg\", reference:\"2.72.b+dfsg0-3+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:47:39", "description": "Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.", "edition": 23, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-07-18T00:00:00", "title": "Debian DSA-4248-1 : blender - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2901", "CVE-2017-12086", "CVE-2017-2903", "CVE-2017-12105", "CVE-2017-2905", "CVE-2017-12082", "CVE-2017-2907", "CVE-2017-2902", "CVE-2017-12100", "CVE-2017-12104", "CVE-2017-2904", "CVE-2017-12099", "CVE-2017-2900", "CVE-2017-2906", "CVE-2017-2918", "CVE-2017-2899", "CVE-2017-12081", "CVE-2017-2908", "CVE-2017-12103", "CVE-2017-12102", "CVE-2017-12101"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:blender", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4248.NASL", "href": "https://www.tenable.com/plugins/nessus/111140", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4248. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111140);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/07/15 14:20:30\");\n\n script_cve_id(\"CVE-2017-12081\", \"CVE-2017-12082\", \"CVE-2017-12086\", \"CVE-2017-12099\", \"CVE-2017-12100\", \"CVE-2017-12101\", \"CVE-2017-12102\", \"CVE-2017-12103\", \"CVE-2017-12104\", \"CVE-2017-12105\", \"CVE-2017-2899\", \"CVE-2017-2900\", \"CVE-2017-2901\", \"CVE-2017-2902\", \"CVE-2017-2903\", \"CVE-2017-2904\", \"CVE-2017-2905\", \"CVE-2017-2906\", \"CVE-2017-2907\", \"CVE-2017-2908\", \"CVE-2017-2918\");\n script_xref(name:\"DSA\", value:\"4248\");\n\n script_name(english:\"Debian DSA-4248-1 : blender - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in various parsers of\nBlender, a 3D modeller/ renderer. Malformed .blend model files and\nmalformed multimedia files (AVI, BMP, HDR, CIN, IRIS, PNG, TIFF) may\nresult in the execution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/blender\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/blender\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4248\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the blender packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.79.b+dfsg0-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:blender\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"blender\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"blender-data\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"blender-dbg\", reference:\"2.79.b+dfsg0-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
