[Bf-committers] PATCH CVE-2009-3850 for blender-2.57

Jochen Schmitt Jochen at herr-schmitt.de
Wed Apr 27 19:08:00 CEST 2011


Hallo,

I was notified, that the security issue CVE-2009-3850 still exisi in
blender-2.57.

On bug #364291 on gut.gentoo.org the above patch was provided, which I want
to forward to you.

Best Regards:

Jochen Schmitt




@@ -, +, @@
 --enable-autoexec|-y|-666  (CVE-2009-3850)
 source/blender/blenkernel/intern/blender.c     |    3 ++-
 source/blender/makesrna/intern/rna_userdef.c   |    9 ++++++---
 source/blender/windowmanager/intern/wm_files.c |    3 ++-
 source/creator/creator.c                       |   10 ++++++----
 4 files changed, 16 insertions(+), 9 deletions(-)
--- a/source/blender/blenkernel/intern/blender.c   
+++ a/source/blender/blenkernel/intern/blender.c   
@@ -141,7 +141,8 @@ void initglobals(void)
     G.charmin = 0x0000;
     G.charmax = 0xffff;
    
-    G.f |= G_SCRIPT_AUTOEXEC;
+    G.f &= ~G_SCRIPT_AUTOEXEC;
+    G.f |= G_SCRIPT_OVERRIDE_PREF;  /* Disables turning
G_SCRIPT_AUTOEXEC on from user prefs */
 }
 
 /***/
--- a/source/blender/makesrna/intern/rna_userdef.c   
+++ a/source/blender/makesrna/intern/rna_userdef.c   
@@ -99,9 +99,12 @@ static void rna_userdef_show_manipulator_update(Main
*bmain, Scene *scene, Point
 
 static void rna_userdef_script_autoexec_update(Main *bmain, Scene
*scene, PointerRNA *ptr)
 {
-    UserDef *userdef = (UserDef*)ptr->data;
-    if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE)    G.f &=
~G_SCRIPT_AUTOEXEC;
-    else                                                G.f |= 
G_SCRIPT_AUTOEXEC;
+    if ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) {
+        /* Blender run with --enable-autoexec */
+        UserDef *userdef = (UserDef*)ptr->data;
+        if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE)    G.f &=
~G_SCRIPT_AUTOEXEC;
+        else                                                G.f |= 
G_SCRIPT_AUTOEXEC;
+    }
 }
 
 static void rna_userdef_mipmap_update(Main *bmain, Scene *scene,
PointerRNA *ptr)
--- a/source/blender/windowmanager/intern/wm_files.c   
+++ a/source/blender/windowmanager/intern/wm_files.c   
@@ -270,7 +270,8 @@ static void wm_init_userdef(bContext *C)
 
     /* set the python auto-execute setting from user prefs */
     /* enabled by default, unless explicitly enabled in the command
line which overrides */
-    if((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) {
+    if (! G.background && ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0)) {
+        /* Blender run with --enable-autoexec */
         if ((U.flag & USER_SCRIPT_AUTOEXEC_DISABLE) == 0) G.f |= 
G_SCRIPT_AUTOEXEC;
         else                                              G.f &=
~G_SCRIPT_AUTOEXEC;
     }
--- a/source/creator/creator.c   
+++ a/source/creator/creator.c   
@@ -278,6 +278,7 @@ static int print_help(int UNUSED(argc), const char
**UNUSED(argv), void *data)
 
     printf("\n");
 
+    BLI_argsPrintArgDoc(ba, "-666");
     BLI_argsPrintArgDoc(ba, "--enable-autoexec");
     BLI_argsPrintArgDoc(ba, "--disable-autoexec");
 
@@ -359,14 +360,14 @@ static int end_arguments(int UNUSED(argc), const
char **UNUSED(argv), void *UNUS
 static int enable_python(int UNUSED(argc), const char **UNUSED(argv),
void *UNUSED(data))
 {
     G.f |= G_SCRIPT_AUTOEXEC;
-    G.f |= G_SCRIPT_OVERRIDE_PREF;
+    G.f &= ~G_SCRIPT_OVERRIDE_PREF;  /* Enables turning
G_SCRIPT_AUTOEXEC off from user prefs */
     return 0;
 }
 
 static int disable_python(int UNUSED(argc), const char **UNUSED(argv),
void *UNUSED(data))
 {
     G.f &= ~G_SCRIPT_AUTOEXEC;
-    G.f |= G_SCRIPT_OVERRIDE_PREF;
+    G.f |= G_SCRIPT_OVERRIDE_PREF;  /* Disables turning
G_SCRIPT_AUTOEXEC on from user prefs */
     return 0;
 }
 
@@ -1075,8 +1076,9 @@ static void setupArguments(bContext *C, bArgs *ba,
SYS_SystemHandle *syshandle)
 
     BLI_argsAdd(ba, 1, "-v", "--version", "\n\tPrint Blender version
and exit", print_version, NULL);
 
-    BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic
python script execution (default)", enable_python, NULL);
-    BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable
automatic python script execution (pydrivers, pyconstraints, pynodes)",
disable_python, NULL);
+    BLI_argsAdd(ba, 1, NULL, "-666", "\n\tEnable automatic python
script execution (port from CVE-2009-3850 patch to Blender 2.49b)",
enable_python, NULL);
+    BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic
python script execution", enable_python, NULL);
+    BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable
automatic python script execution (pydrivers, pyconstraints, pynodes)
(default)", disable_python, NULL);
 
     BLI_argsAdd(ba, 1, "-b", "--background", "<file>\n\tLoad <file> in
background (often used for UI-less rendering)", background_mode, NULL);
 



More information about the Bf-committers mailing list