[Bf-committers] Cisco's CVE reports handled

Ton Roosendaal ton at blender.org
Thu Jan 18 11:59:38 CET 2018

Hi everyone,

You've probably followed the discussion based on Cisco's security reports.
Here's the thread on our developer site:

Last week Cisco posted the full list on their blog, with a quite negative statement that "we declined to address the issues". I've asked Cisco to update that blog post or at least post my reply, nothing happened so-far.


With the issue being picked up by news websites the pressure to handle the reports became quite more urgent. Also because we were planning a bug-fix 2.79a release this month.

I'm happy to report that Brecht Van Lommel took the efforts to handle all of the reported issues in Blender in the past 4 days. You can see the commits related to this on this url:

(Search for malloc_array)

Also thanks to Sergey and Campbell for reviewing it.
A testbuild for 2.79a is being made now (this week?). Official release then happens shortly after.

Please note it doesn't mean Blender is anything like "safe" now. It remains important to only open Blender files from trusted sources. We still think that real and sensible security (if you want .blend files safe to be spread anonymously) is a project with a magnitude that's outside of the scope of what we can handle. For that we welcome contributions from the industry!



Ton Roosendaal  -  ton at blender.org   -   www.blender.org
Chairman Blender Foundation, Director Blender Institute
Entrepotdok 57A, 1018 AD, Amsterdam, the Netherlands

More information about the Bf-committers mailing list