CVE-2005-4470 - Unspecified vulnerability in Blender Blenloader

Summary

Heap-based buffer overflow in the get_bhead function in readfile.c in Blender BlenLoader 2.0 through 2.40pre allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .blend file with a negative bhead.len value, which causes less memory to be allocated than expected, possibly due to an integer overflow.

Risk level (CVSS 7.5)

High

7.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Related Security News

Linux Advisory Watch - April 28th 2006
2006-05-01 05h41

+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 28th, 2006 Volume 7, Number 18n | | | | Editorial Team: Dave Wreski dave () linuxsecurity com | | Benjamin D. Thomas ben () linuxsecurity com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, advisories were released for zgv, xzgv, blender, gdm, abc2ps, SASL, abcmidi, Mozilla, OpenVPN, kernel, gnome-pilot, qt, tzdata, procps, procinfo, beagle, jwhois, cscope, ethereal, system-config-data, pygtk, crossfire, fbida, dia, xine-ui, php, mozilla-firefox, ruby, module-init-tools, thunderbird, and ipsec-tools. The distributors include Debian, Fedora, Gentoo, Fedora, Mandriva, Red Hat, SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Introduction: Buffer Overflow Vulnerabilities In exploiting the buffer overflow vulnerability, the main objective is to overwrite some control information in order to change the flow of control in the program. The usual way of taking advantage of this is to modify the control information to give authority to code provided by the attacker to take control. According to Shaneck, "The most widespread type of exploit is called 'Smashing the Stack' and involves overwriting the return address stored on the stack to transfer control to code placed either in the buffer, or past the end of the buffer." (Shaneck, 2003) The stack is a section of memory used for temporary storage of information. In a stack-based buffer overflow attack, the attacker adds more data than expected to the stack, overwriting data. Farrow explains this in an example, "Let's say that a program is executing and reaches the stage where it expects to use a postal code or zip code, which it gets from a Web-based form that customers filled out." (Farrow, 2002) The longest postal code is fewer than twelve characters, but on the web form, the attacker typed in the letter "A" 256 times, followed by some other commands. The data overflows the buffer allotted for the zip code and the attacker's commands fall into the stack. After a function is called, the address of the instruction following the function call is pushed onto the stack to be saved so that the function knows where to return control when it is finished. A buffer overflow allows the attacker to change the return address of a function to a point in memory where they have already inserted executable code. Then control can be transferred to the malicious attack code contained with the buffer, called the payload (Peikari and Chuvakin, 2004). The payload is normally a command to allow remote access or some other command that would get the attacker closer to having control of the system. As Holden explains, "a computer is flooded with more information than it can handle, and some of it may contain instructions that could damage files on the computer or disclose information that is normally protected- or give the hacker root access to the system." (Holden, 2004) The best defense against any of these attacks is to have perfect programs. In ideal circumstances, every input in every program would do bounds checks to allow only a given number of characters. Therefore, the best way to deal with buffer overflow problems is to not allow them to occur in the first place. Unfortunately, not all programs are perfect and some have bugs that permit the attacks discussed in this paper. As described by Farrow, "because programs are not perfect, programmers have come up with schemes to defend against buffer overflow attacks." (Farrow, 2002) One technique entails enforcing the computer to use the stack and the heap for data only and to never to execute any instructions found there. This approach can work for UNIX systems, but it can't be used on Windows systems. Farrow describes another scheme using a canary to protect against buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002) The stack canary protects the stack by being put in sensitive locations in memory like the return address (that tells the computer where to find the next commands to execute after it completes its current function). As described by Farrow, "before return addresses get used, the program checks to see if the canary is okay." (Farrow, 2002) If the canary has been hit, the program then quits because it knows that something has gone wrong. As a user of the programs, the best countermeasure is to make sure your systems are fully patched in order to protect yourself from exploits targeting vulnerabilities. Read Full Article: http://www.linuxsecurity.com/content/view/118881/49/ ---------------------- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121560/65/ --- Linux File & Directory Permissions Mistakes One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com. http://www.linuxsecurity.com/content/view/119415/49/ --- Buffer Overflow Basics A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. http://www.linuxsecurity.com/content/view/119087/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New zgv packages fix arbitrary code execution 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122512 * Debian: New xzgv packages fix arbitrary code execution 22nd, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122518 * Debian: New blender packages fix several vulnerabilities 24th, April, 2006 Several vulnerabilities have been discoverd in in blender, a very fast and versatile 3D modeller/renderer. The Common Vulnerability and Exposures Project identifies the following problems: CVE-2005-3302, CVE-2005-4470 http://www.linuxsecurity.com/content/view/122526 * Debian: New gdm packages fix local root exploit 24th, April, 2006 A vulnerability has been identified in gdm, a display manager for X, that could allow a local attacker to gain elevated privileges by exploiting a race condition in the handling of the .ICEauthority file. http://www.linuxsecurity.com/content/view/122527 * Debian: New abc2ps packages fix arbitrary code execution 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122544 * Debian: New Cyrus SASL packages fix denial of service 25th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122564 * Debian: New abcmidi packages fix arbitrary code execution 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122571 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 Several security related problems have been discovered in Mozilla Firefox. http://www.linuxsecurity.com/content/view/122578 * Debian: New Mozilla Firefox packages fix several vulnerabilities 26th, April, 2006 http://www.linuxsecurity.com/content/view/122581 * Debian: New OpenVPN packages fix arbitrary code execution 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122591 * Debian: New Mozilla packages fix several vulnerabilities 27th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122592 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122490 * Fedora Core 4 Update: kernel-2.6.16-1.2096_FC4 20th, April, 2006 This update includes a number of security issues that have been fixed upstream over the last week or so. http://www.linuxsecurity.com/content/view/122491 * Fedora Core 5 Update: gnome-pilot-2.0.13-7.fc5.6 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122492 * Fedora Core 4 Update: gnome-pilot-2.0.13-5.fc4.2 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122493 * Fedora Core 4 Update: qt-3.3.4-15.5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122494 * Fedora Core 5 Update: tzdata-2006d-1.fc5 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122495 * Fedora Core 4 Update: tzdata-2006d-1.fc4 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122496 * Fedora Core 5 Update: procps-3.2.6-3.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122506 * Fedora Core 5 Update: procinfo-18-18.2.2 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122507 * Fedora Core 5 Update: gnome-user-share-0.9-4 21st, April, 2006 Fixes login when using password. http://www.linuxsecurity.com/content/view/122508 * Fedora Core 5 Update: beagle-0.2.5-1.fc5.1 21st, April, 2006 This upgrade to 0.2.5 fixes various bugs, including making the firefox extension work again. It also contains fixes for a minor security issue where you could inject command line argument into the indexer helpers. http://www.linuxsecurity.com/content/view/122509 * Fedora Core 4 Update: jwhois-3.2.3-3.3.fc4.1 21st, April, 2006 Updates jwhois to 3.2.3 and updates the default configuration. http://www.linuxsecurity.com/content/view/122510 * Fedora Core 5 Update: cscope-15.5-13.3 21st, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122513 * Fedora Core 5 Update: ethereal-0.99.0-fc5.1 25th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122561 * Fedora Core 4 Update: ethereal-0.99.0-fc4.1 26th, April, 2006 Many security vulnerabilities have been fixed since the previous release. http://www.linuxsecurity.com/content/view/122574 * Fedora Core 4 Update: system-config-date-1.8.3-0.fc4.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122586 * Fedora Core 5 Update: system-config-date-1.8.3-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122587 * Fedora Core 5 Update: pygtk2-2.8.6-0.fc5.1 26th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122588 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: Cyrus-SASL DIGEST-MD5 Pre-Authentication Denial of Service 21st, April, 2006 Cyrus-SASL contains a vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/122498 * Gentoo: zgv, xzgv Heap overflow 21st, April, 2006 xzgv and zgv attempt to decode JPEG images within the CMYK/YCCK colour space incorrectly, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122499 * Gentoo: Crossfire server Denial of Service and potential 22nd, April, 2006 The Crossfire game server is vulnerable to a Denial of Service and potentially to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122519 * Gentoo: Mozilla Firefox Multiple vulnerabilities 23rd, April, 2006 Several vulnerabilities in Mozilla Firefox allow attacks ranging from execution of script code with elevated privileges to information leaks. http://www.linuxsecurity.com/content/view/122520 * Gentoo: fbida Insecure temporary file creation 23rd, April, 2006 fbida is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. http://www.linuxsecurity.com/content/view/122521 * Gentoo: Dia Arbitrary code execution through XFig import 23rd, April, 2006 Buffer overflows in Dia's XFig import could allow remote attackers to execute arbitrary code. http://www.linuxsecurity.com/content/view/122522 * Gentoo: xine-ui Format string vulnerabilities 26th, April, 2006 Format string vulnerabilities in xine-ui may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122579 * Gentoo: xine-lib Buffer overflow vulnerability 26th, April, 2006 xine-lib contains a buffer overflow vulnerability which may lead to the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122580 * Gentoo: Ethereal Multiple vulnerabilities in protocol dissectors 27th, April, 2006 Ethereal is vulnerable to numerous vulnerabilities, potentially resulting in the execution of arbitrary code. http://www.linuxsecurity.com/content/view/122590 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated cyrus-sasl packages addresses vulnerability 24th, April, 2006 A vulnerability in the CMU Cyrus Simple Authentication and Security Layer (SASL) library < 2.1.21, has an unknown impact and remote unauthenticated attack vectors, related to DIGEST-MD5 negotiation. http://www.linuxsecurity.com/content/view/122541 * Mandriva: Updated php packages address multiple vulnerabilities. 24th, April, 2006 A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML via long array variables, including (1) a large number of dimensions or (2) long values, which prevents HTML tags from being removed. http://www.linuxsecurity.com/content/view/122542 * Mandriva: Updated mozilla-firefox packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Firefox browser that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122543 * Mandriva: Updated mozilla packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Suite that could allow a remote attacker to craft malicious web pages that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, cookies, or other information from web pages. http://www.linuxsecurity.com/content/view/122565 * Mandriva: Updated ethereal packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Ethereal network analyzer. These issues have been corrected in Ethereal version 0.99.0 which is provided with this update. http://www.linuxsecurity.com/content/view/122566 * Mandriva: Updated mozilla-thunderbird packages fix numerous vulnerabilities 25th, April, 2006 A number of vulnerabilities have been discovered in the Mozilla Thunderbird email client that could allow a remote attacker to craft malicious web emails that could take advantage of these issues to execute arbitrary code with elevated privileges, spoof content, and steal local files, or other nformation. http://www.linuxsecurity.com/content/view/122567 * Mandriva: Updated ruby packages fix vulnerability 25th, April, 2006 A vulnerability in how ruby's HTTP module uses blocking sockets was reported by Yukihiro Matsumoto. By sending large amounts of data to a server application using this module, a remote attacker could exploit it to render the application unusable and not respond to other client requests. http://www.linuxsecurity.com/content/view/122570 * Mandriva: Updated module-init-tools packages fix CUPS-related bug 27th, April, 2006 The default configuration of module-init-tools was to send a HUP signal to the CUPS daemon whenever the "usblp" kernel module is loaded, for example when a USB printer is plugged in. Due to udev also sending a HUP signal to the CUPS daemon on pluggin in a USB printer there were two HUPs one shortly after the other which often makes the CUPS daemon crashing. http://www.linuxsecurity.com/content/view/122589 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Critical: thunderbird security update 21st, April, 2006 An updated thunderbird package that fixes various bugs is now available for Red Hat Enterprise Linux 4. This update has been rated as having critical security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122511 * RedHat: Moderate: ipsec-tools security update 25th, April, 2006 Updated ipsec-tools packages that fix a bug in racoon are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122550 * RedHat: Moderate: php security update 25th, April, 2006 Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/122551 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: Mozilla Firefox, Mozilla Suite 20th, April, 2006 Updated package. http://www.linuxsecurity.com/content/view/122489 * SuSE: MozillaThunderbird various problems 25th, April, 2006 Multiple vulnerabilities fixed. http://www.linuxsecurity.com/content/view/122549 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org