[Bf-committers] PATCH CVE-2009-3850 for blender-2.57

Campbell Barton ideasman42 at gmail.com
Thu Apr 28 08:28:34 CEST 2011


Hi, I tried the patch but it sets overrides by default which make it
impossible to enable via the userprefs.
I found it shows python auto execution enabled in the user prefs when
its actually disabled in blender.

For example, if autoexec is enabled in the user prefs opening a file
from Ctrl+O menu will still disable script execution, but from the
open file selector it will be enabled.

Rather then apply patches like this, I added an advanced build option
in CMake: WITH_PYTHON_SECURITY, r36363.

This build option is off by default and marked as advanced - but if
you want this as default behavior you can enable it.

This makes python execution off by default on load and disabled when
loading factory settings.
Other then having the option opt-in the user preference works as
before, and enabling it, then saving the user-defaults works as
expected for users that want to keep this on.

On Wed, Apr 27, 2011 at 5:08 PM, Jochen Schmitt <Jochen at herr-schmitt.de> wrote:
> Hallo,
>
> I was notified, that the security issue CVE-2009-3850 still exisi in
> blender-2.57.
>
> On bug #364291 on gut.gentoo.org the above patch was provided, which I want
> to forward to you.
>
> Best Regards:
>
> Jochen Schmitt
>
>
>
>
> @@ -, +, @@
>  --enable-autoexec|-y|-666  (CVE-2009-3850)
>  source/blender/blenkernel/intern/blender.c     |    3 ++-
>  source/blender/makesrna/intern/rna_userdef.c   |    9 ++++++---
>  source/blender/windowmanager/intern/wm_files.c |    3 ++-
>  source/creator/creator.c                       |   10 ++++++----
>  4 files changed, 16 insertions(+), 9 deletions(-)
> --- a/source/blender/blenkernel/intern/blender.c
> +++ a/source/blender/blenkernel/intern/blender.c
> @@ -141,7 +141,8 @@ void initglobals(void)
>     G.charmin = 0x0000;
>     G.charmax = 0xffff;
>
> -    G.f |= G_SCRIPT_AUTOEXEC;
> +    G.f &= ~G_SCRIPT_AUTOEXEC;
> +    G.f |= G_SCRIPT_OVERRIDE_PREF;  /* Disables turning
> G_SCRIPT_AUTOEXEC on from user prefs */
>  }
>
>  /***/
> --- a/source/blender/makesrna/intern/rna_userdef.c
> +++ a/source/blender/makesrna/intern/rna_userdef.c
> @@ -99,9 +99,12 @@ static void rna_userdef_show_manipulator_update(Main
> *bmain, Scene *scene, Point
>
>  static void rna_userdef_script_autoexec_update(Main *bmain, Scene
> *scene, PointerRNA *ptr)
>  {
> -    UserDef *userdef = (UserDef*)ptr->data;
> -    if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE)    G.f &=
> ~G_SCRIPT_AUTOEXEC;
> -    else                                                G.f |=
> G_SCRIPT_AUTOEXEC;
> +    if ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) {
> +        /* Blender run with --enable-autoexec */
> +        UserDef *userdef = (UserDef*)ptr->data;
> +        if (userdef->flag & USER_SCRIPT_AUTOEXEC_DISABLE)    G.f &=
> ~G_SCRIPT_AUTOEXEC;
> +        else                                                G.f |=
> G_SCRIPT_AUTOEXEC;
> +    }
>  }
>
>  static void rna_userdef_mipmap_update(Main *bmain, Scene *scene,
> PointerRNA *ptr)
> --- a/source/blender/windowmanager/intern/wm_files.c
> +++ a/source/blender/windowmanager/intern/wm_files.c
> @@ -270,7 +270,8 @@ static void wm_init_userdef(bContext *C)
>
>     /* set the python auto-execute setting from user prefs */
>     /* enabled by default, unless explicitly enabled in the command
> line which overrides */
> -    if((G.f & G_SCRIPT_OVERRIDE_PREF) == 0) {
> +    if (! G.background && ((G.f & G_SCRIPT_OVERRIDE_PREF) == 0)) {
> +        /* Blender run with --enable-autoexec */
>         if ((U.flag & USER_SCRIPT_AUTOEXEC_DISABLE) == 0) G.f |=
> G_SCRIPT_AUTOEXEC;
>         else                                              G.f &=
> ~G_SCRIPT_AUTOEXEC;
>     }
> --- a/source/creator/creator.c
> +++ a/source/creator/creator.c
> @@ -278,6 +278,7 @@ static int print_help(int UNUSED(argc), const char
> **UNUSED(argv), void *data)
>
>     printf("\n");
>
> +    BLI_argsPrintArgDoc(ba, "-666");
>     BLI_argsPrintArgDoc(ba, "--enable-autoexec");
>     BLI_argsPrintArgDoc(ba, "--disable-autoexec");
>
> @@ -359,14 +360,14 @@ static int end_arguments(int UNUSED(argc), const
> char **UNUSED(argv), void *UNUS
>  static int enable_python(int UNUSED(argc), const char **UNUSED(argv),
> void *UNUSED(data))
>  {
>     G.f |= G_SCRIPT_AUTOEXEC;
> -    G.f |= G_SCRIPT_OVERRIDE_PREF;
> +    G.f &= ~G_SCRIPT_OVERRIDE_PREF;  /* Enables turning
> G_SCRIPT_AUTOEXEC off from user prefs */
>     return 0;
>  }
>
>  static int disable_python(int UNUSED(argc), const char **UNUSED(argv),
> void *UNUSED(data))
>  {
>     G.f &= ~G_SCRIPT_AUTOEXEC;
> -    G.f |= G_SCRIPT_OVERRIDE_PREF;
> +    G.f |= G_SCRIPT_OVERRIDE_PREF;  /* Disables turning
> G_SCRIPT_AUTOEXEC on from user prefs */
>     return 0;
>  }
>
> @@ -1075,8 +1076,9 @@ static void setupArguments(bContext *C, bArgs *ba,
> SYS_SystemHandle *syshandle)
>
>     BLI_argsAdd(ba, 1, "-v", "--version", "\n\tPrint Blender version
> and exit", print_version, NULL);
>
> -    BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic
> python script execution (default)", enable_python, NULL);
> -    BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable
> automatic python script execution (pydrivers, pyconstraints, pynodes)",
> disable_python, NULL);
> +    BLI_argsAdd(ba, 1, NULL, "-666", "\n\tEnable automatic python
> script execution (port from CVE-2009-3850 patch to Blender 2.49b)",
> enable_python, NULL);
> +    BLI_argsAdd(ba, 1, "-y", "--enable-autoexec", "\n\tEnable automatic
> python script execution", enable_python, NULL);
> +    BLI_argsAdd(ba, 1, "-Y", "--disable-autoexec", "\n\tDisable
> automatic python script execution (pydrivers, pyconstraints, pynodes)
> (default)", disable_python, NULL);
>
>     BLI_argsAdd(ba, 1, "-b", "--background", "<file>\n\tLoad <file> in
> background (often used for UI-less rendering)", background_mode, NULL);
>
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>



-- 
- Campbell


More information about the Bf-committers mailing list