media-gfx/blender: Integrate patch for CVE-2009-3850 (bug #293130)

(Portage version: 2.1.9.46/cvs/Linux x86_64)
author: Sebastian Pipping <sping@gentoo.org> 2011-04-21 09:15:32 +0000
committer: Sebastian Pipping <sping@gentoo.org> 2011-04-21 09:15:32 +0000
commit: e23349ff0eee5ecab2e8309bdbd57b33631c3254 (patch)
tree: 2954d09faa021f8aaf991901c948981dfbd7fb2e /media-gfx
parent: Add glade/libx86 dep #364061 by Robert Cernansky. (diff)
download: gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.tar.gz
gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.tar.bz2
gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.zip
3 files changed, 286 insertions, 1 deletions
diff --git a/media-gfx/blender/ChangeLog b/media-gfx/blender/ChangeLog
index c6906210b4a1..1673c729272d 100644
--- a/media-gfx/blender/ChangeLog
+++ b/media-gfx/blender/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-gfx/blender
 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/ChangeLog,v 1.187 2011/03/28 02:08:35 lu_zero Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/ChangeLog,v 1.188 2011/04/21 09:15:32 sping Exp $
+
+*blender-2.49b-r1 (21 Apr 2011)
+
+  21 Apr 2011; Sebastian Pipping <sping@gentoo.org> +blender-2.49b-r1.ebuild,
+  +files/blender-2.49b-CVE-2009-3850-v3.patch:
+  Integrate patch for CVE-2009-3850 (bug #293130)
 
   27 Mar 2011; Luca Barbato <lu_zero@gentoo.org> blender-2.48a-r3.ebuild,
   blender-2.49a.ebuild, blender-2.49b.ebuild:
diff --git a/media-gfx/blender/blender-2.49b-r1.ebuild b/media-gfx/blender/blender-2.49b-r1.ebuild
new file mode 100644
index 000000000000..420a3c11ae61
--- /dev/null
+++ b/media-gfx/blender/blender-2.49b-r1.ebuild
@@ -0,0 +1,174 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/blender/blender-2.49b-r1.ebuild,v 1.1 2011/04/21 09:15:32 sping Exp $
+
+EAPI=2
+
+inherit multilib eutils python
+
+IUSE="blender-game ffmpeg nls ogg openmp verse openal"
+
+DESCRIPTION="3D Creation/Animation/Publishing System"
+HOMEPAGE="http://www.blender.org/"
+SRC_URI="http://download.blender.org/source/${P}.tar.gz"
+
+SLOT="0"
+LICENSE="|| ( GPL-2 BL BSD )"
+KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86"
+
+RDEPEND="ffmpeg? ( virtual/ffmpeg[encode,theora] )
+	media-libs/openjpeg
+	media-libs/tiff
+	>=dev-lang/python-2.5
+	nls? ( >=media-libs/freetype-2.0
+		virtual/libintl
+		>=media-libs/ftgl-2.1 )
+	openal? ( >=media-libs/openal-1.6.372
+		>=media-libs/freealut-1.1.0-r1 )
+	media-libs/openexr
+	media-libs/libpng
+	blender-game? ( >=media-libs/libsdl-1.2[joystick] )
+	>=media-libs/libsdl-1.2
+	ogg? ( media-libs/libogg )
+	virtual/jpeg
+	virtual/opengl"
+DEPEND=">=dev-util/scons-0.98
+	sys-devel/gcc[openmp?]
+	x11-base/xorg-server
+	${RDEPEND}"
+
+blend_with() {
+	local UWORD="$2"
+	if [ -z "${UWORD}" ]; then
+		UWORD="$1"
+	fi
+	if useq $1; then
+		echo "WITH_BF_${UWORD}=1" | tr '[:lower:]' '[:upper:]' \
+			>> "${S}"/user-config.py
+	else
+		echo "WITH_BF_${UWORD}=0" | tr '[:lower:]' '[:upper:]' \
+			>> "${S}"/user-config.py
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/blender-2.48a-CVE-2008-4863.patch
+	epatch "${FILESDIR}"/${PN}-2.37-dirs.patch
+	epatch "${FILESDIR}"/${PN}-2.44-scriptsdir.patch
+	epatch "${FILESDIR}"/${PN}-2.49a-sys-openjpeg.patch
+	epatch "${FILESDIR}"/${PN}-2.49b-CVE-2009-3850-v3.patch
+	rm -f "${S}/release/scripts/bpymodules/"*.pyc
+}
+
+src_configure() {
+
+	# add ffmpeg info to the scons build info
+	cat <<- EOF >> "${S}"/user-config.py
+		BF_FFMPEG="/usr"
+		BF_FFMPEG_LIB="avdevice avformat avcodec swscale avutil"
+	EOF
+
+	#  set python version to current version in use
+	cat <<- EOF >> "${S}"/user-config.py
+		BF_PYTHON_VERSION="$(python_get_version)"
+		BF_PYTHON_INC="$(python_get_includedir)"
+		BF_PYTHON_BINARY="$(PYTHON -a)"
+		BF_PYTHON_LIB="python$(python_get_version)"
+	EOF
+
+	# add system openjpeg into scons build.
+	cat <<- EOF >> "${S}"/user-config.py
+		BF_OPENJPEG = "/usr"
+		BF_OPENJPEG_INC = "/usr/include"
+		BF_OPENJPEG_LIB = "openjpeg"
+	EOF
+
+	#set CFLAGS used in /etc/make.conf correctly
+
+	echo "CFLAGS= [`for i in ${CFLAGS[@]}; do printf "%s \'$i"\',; done`] " \
+		  | sed -e "s:,]: ]:" >> "${S}"/user-config.py
+
+	echo "CXXFLAGS= [`for i in ${CFLAGS[@]}; do printf "%s \'$i"\',; done`]" \
+		 | sed -e "s:,]: ]:" >> "${S}"/user-config.py
+
+	# check for blender-game USE flag.
+	# blender-game will merge with blenderplayer.
+
+	for arg in \
+			'openal'\
+			'ffmpeg' \
+			'blender-game player' \
+			'blender-game gameengine' \
+			'nls international' \
+			'ogg' \
+			'openmp' \
+			'verse' ; do
+		blend_with ${arg}
+	done
+}
+
+src_compile() {
+	# scons uses -l differently -> remove it
+	scons ${MAKEOPTS/-l[0-9]} || die \
+	'!!! Please add "${S}/scons.config" when filing bugs reports \
+	to bugs.gentoo.org'
+
+	cd "${WORKDIR}"/install/linux2/plugins
+	chmod 755 bmake
+	emake || die
+}
+
+src_install() {
+	exeinto /usr/bin/
+	doexe "${WORKDIR}"/install/linux2/blender
+	use blender-game && doexe "${WORKDIR}"/install/linux2/blenderplayer
+
+	dodir /usr/share/${PN}
+
+	exeinto /usr/$(get_libdir)/${PN}/textures
+	doexe "${WORKDIR}"/install/linux2/plugins/texture/*.so
+	exeinto /usr/$(get_libdir)/${PN}/sequences
+	doexe "${WORKDIR}"/install/linux2/plugins/sequence/*.so
+	insinto /usr/include/${PN}
+	doins "${WORKDIR}"/install/linux2/plugins/include/*.h
+
+	if use nls ; then
+		mv "${WORKDIR}"/install/linux2/.blender/{.Blanguages,.bfont.ttf} \
+			"${D}"/usr/share/${PN}
+		mv "${WORKDIR}"/install/linux2/.blender/locale \
+			"${D}"/usr/share/locale
+	fi
+
+	mv "${WORKDIR}"/install/linux2/.blender/scripts "${D}"/usr/share/${PN}
+
+	insinto /usr/share/pixmaps
+	doins "${WORKDIR}"/install/linux2/icons/scalable/blender.svg
+	insinto /usr/share/applications
+	doins "${FILESDIR}"/${PN}.desktop
+
+	dodoc INSTALL README
+	dodoc "${WORKDIR}"/install/linux2/BlenderQuickStart.pdf
+
+}
+
+pkg_preinst(){
+	if [ -h "${ROOT}/usr/$(get_libdir)/blender/plugins/include" ];
+	then
+		rm -f "${ROOT}"/usr/$(get_libdir)/blender/plugins/include
+	fi
+}
+
+pkg_postinst(){
+	elog "blender uses python integration.  As such, may have some"
+	elog "inherit risks with running unknown python scripting."
+	elog " "
+	elog "CVE-2008-1103-1.patch has been removed as it interferes"
+	elog "with autosave undo features. Up stream blender coders"
+	elog "have not addressed the CVE issue as the status is still"
+	elog "a CANDIDATE and not CONFIRMED."
+	elog " "
+	elog "It is recommended to change your blender temp directory"
+	elog "from /tmp to ~tmp or another tmp file under your home"
+	elog "directory. This can be done by starting blender, then"
+	elog "dragging the main menu down do display all paths."
+}
diff --git a/media-gfx/blender/files/blender-2.49b-CVE-2009-3850-v3.patch b/media-gfx/blender/files/blender-2.49b-CVE-2009-3850-v3.patch
new file mode 100644
index 000000000000..9cf17a5b7c2e
--- /dev/null
+++ b/media-gfx/blender/files/blender-2.49b-CVE-2009-3850-v3.patch
@@ -0,0 +1,105 @@
+From 072e11130a2f96642972b0d4ac7ad2a9cd19fbf2 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 20 Apr 2011 16:42:17 +0200
+Subject: [PATCH] Flip default of "Auto Run Python Scripts" to disabled 
+ (CVE-2009-3850)
+
+Manual overriding through new parameter -666 is supported
+---
+ source/blender/blenkernel/intern/blender.c  |   11 ++++++++++-
+ source/blender/python/api2_2x/sceneRender.c |    3 ++-
+ source/creator/creator.c                    |   14 ++++++++++----
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/source/blender/blenkernel/intern/blender.c b/source/blender/blenkernel/intern/blender.c
+index bf208c8..029b7cf 100644
+--- a/source/blender/blenkernel/intern/blender.c
++++ b/source/blender/blenkernel/intern/blender.c
+@@ -388,7 +388,16 @@ static void setup_app_data(BlendFileData *bfd, char *filename)
+ 	if (G.f & G_DEBUG) bfd->globalf |= G_DEBUG;
+ 	else bfd->globalf &= ~G_DEBUG;
+ 
+-	if ((U.flag & USER_DONT_DOSCRIPTLINKS)) bfd->globalf &= ~G_DOSCRIPTLINKS;
++	if (G.f & G_DOSCRIPTLINKS) {
++		/* Blender running in -666 mode */
++		/* NOTE: In background mode U.flag has not been initialized from ~/.B.blend */
++		if (! G.background && (U.flag & USER_DONT_DOSCRIPTLINKS))
++			/* Prefer disabled "Auto Run Python Scripts" over -666 */
++			bfd->globalf &= ~G_DOSCRIPTLINKS;
++	} else {
++		/* Blender NOT running in -666 mode, deny pulling G_DOSCRIPTLINKS in */
++		bfd->globalf &= ~G_DOSCRIPTLINKS;
++	}
+ 
+ 	G.f= bfd->globalf;
+ 
+diff --git a/source/blender/python/api2_2x/sceneRender.c b/source/blender/python/api2_2x/sceneRender.c
+index 1bf2b75..e34a361 100644
+--- a/source/blender/python/api2_2x/sceneRender.c
++++ b/source/blender/python/api2_2x/sceneRender.c
+@@ -498,7 +498,8 @@ static PyObject *RenderData_Render( BPy_RenderData * self )
+ 
+ 		RE_BlenderFrame(re, G.scene, G.scene->r.cfra);
+ 
+-		BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
++		if (G.f & G_DOSCRIPTLINKS)
++			BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ 
+ 		set_scene_bg( oldsce );
+ 	}
+diff --git a/source/creator/creator.c b/source/creator/creator.c
+index a562fc3..994180d 100644
+--- a/source/creator/creator.c
++++ b/source/creator/creator.c
+@@ -232,7 +232,8 @@ static void print_help(void)
+ 	printf ("  -nojoystick\tDisable joystick support\n");
+ 	printf ("  -noglsl\tDisable GLSL shading\n");
+ 	printf ("  -h\t\tPrint this help text\n");
+-	printf ("  -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
++	printf ("  -666\t\tEnables automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes)\n");
++	printf ("  -y\t\tDisable automatic python script execution (scriptlinks, pydrivers, pyconstraints, pynodes) (default)\n");
+ 	printf ("  -P <filename>\tRun the given Python script (filename or Blender Text)\n");
+ #ifdef WIN32
+ 	printf ("  -R\t\tRegister .blend extension\n");
+@@ -366,7 +367,7 @@ int main(int argc, char **argv)
+ 
+ 	/* first test for background */
+ 
+-	G.f |= G_DOSCRIPTLINKS; /* script links enabled by default */
++	G.f &= ~G_DOSCRIPTLINKS; /* script links disabled by default */
+ 
+ 	for(a=1; a<argc; a++) {
+ 
+@@ -388,6 +389,10 @@ int main(int argc, char **argv)
+ 			exit(0);
+ 		}
+ 
++		if (!strcmp(argv[a], "-666")){
++			G.f |= G_DOSCRIPTLINKS;
++		}
++
+ 		/* Handle -* switches */
+ 		else if(argv[a][0] == '-') {
+ 			switch(argv[a][1]) {
+@@ -405,7 +410,7 @@ int main(int argc, char **argv)
+ 				a= argc;
+ 				break;
+ 
+-			case 'y':
++			case 'y':  /* NOTE: -y works the exact opposite way in version 2.57! */
+ 				G.f &= ~G_DOSCRIPTLINKS;
+ 				break;
+ 
+@@ -680,7 +685,8 @@ int main(int argc, char **argv)
+ #endif
+ 						RE_BlenderAnim(re, G.scene, frame, frame, G.scene->frame_step);
+ #ifndef DISABLE_PYTHON
+-						BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
++						if (G.f & G_DOSCRIPTLINKS)
++							BPY_do_all_scripts(SCRIPT_POSTRENDER, 0);
+ #endif
+ 					}
+ 				} else {
+-- 
+1.7.5.rc1
+
author	Sebastian Pipping <sping@gentoo.org>	2011-04-21 09:15:32 +0000
committer	Sebastian Pipping <sping@gentoo.org>	2011-04-21 09:15:32 +0000
commit	e23349ff0eee5ecab2e8309bdbd57b33631c3254 (patch)
tree	2954d09faa021f8aaf991901c948981dfbd7fb2e /media-gfx
parent	Add glade/libx86 dep #364061 by Robert Cernansky. (diff)
download	gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.tar.gz gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.tar.bz2 gentoo-2-e23349ff0eee5ecab2e8309bdbd57b33631c3254.zip