Florian Ernst
2007-Mar-14 10:24 UTC
[Secure-testing-team] CVE-2007-1253: blender: eval injection vulnerability in kmz_ImportWithMesh.py
Hello folks, just FYI: CVE-2007-1253 as e.g. summarised on <http://idssi.enyo.de/tracker/CVE-2007-1253> only affects testing/unstable. A fix is in preparation and will be uploaded as 2.42a-6 to unstable from where it can easily propagate to testing. Upstream has decided to deal with this issue by simply dropping the script in question in 2.43, and the blender package maintainers will follow suit (2.43 will be also be uploaded to experimental soon, fwiw). Stable/oldstable are not affected as this script was first introduced in upstream 2.42, see e.g. upstream''s cvs for background: <http://projects.blender.org/viewcvs/viewcvs.cgi/blender/release/scripts/Attic/kmz_ImportWithMesh.py?r1=1.13&cvsroot=bf-blender> HTH, Flo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/34a7b28d/attachment.pgp