Talos security advisory for Blender product
Closed, ArchivedPublic

Description

Blender Version
Blender v2.78c

Hello, the Cisco Talos team found security vulnerabilities impacting Blender customers. As this is a sensitive security issue, this entry is to request a PGP key for further communication. If a key is not received or is unavailable, an unencrypted report will be sent via this report in two business days. Please acknowledge receipt so we can confirm we have the correct forum for reporting security issues.

For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html

Please CC vulndev@cisco.com on all correspondence related to this issue.


Developer note: adding CVE's here so we can keep track of whats fixed.

  • Fixed CVE-2017-2901: Blender Sequencer imb_loadiris Integer Overflow Code Execution Vulnerability rB829916f4e57a2d1580ff3b625f6bb909b9144a20

    This could crash reading corrupt images when generating thumbnails.

Details

Type
Bug

Yes this is the right place to post vulnerabilities. If you really think it's better to not publish it, email to to foundation@blender.org. No pgp key exists though.

Bastien Montagne (mont29) triaged this task as Incomplete priority.Sep 8 2017, 10:45 AM
Bastien Montagne (mont29) claimed this task.

More than a week without reply. Due to the policy of the tracker archiving for until required info/data are provided.

Reports were sent to foundation@blender.org on 9/6/17
T52654 identifier assigned in the email thread via Blender

Bastien Montagne (mont29) raised the priority of this task from Incomplete to Normal.

Thanks, got the mail now. We'll check on it asap.

Thanks. Let me know if you need any additional information. We prefer 1-2 business days notice of public release disclosure so we can coordinate on our end as well. Please let me know any new developments and/or timelines as they are confirmed (even if tentative).

Committed fix for one of the CVE's, note that I think we could make the CVE's public. It's no secret that corrupt files can crash Blender in various ways.

Do you have any updates on the other issues reported? To date, it appears only CVE-2017-2901 (TALOS-2017-0408) is fixed although TALOS-2017-0451 is also referenced above.

Closing this report, use T52924 instead.