Blender KMZ/KML Remote Command Execution Vulnerability

Bugtraq ID:	22770
Class:	Unknown
CVE:	CVE-2007-1253
Remote:	Yes
Local:	No
Published:	Mar 01 2007 12:00AM
Updated:	May 23 2007 09:37PM
Credit:	Stefan Cornelius of Secunia Research is credited with the discovery of this vulnerability.
Vulnerable:	Zoo-Blender kmz_ImportWithMesh.py 0.1.9 Zoo-Blender kmz_ImportWithMesh.py 0.1.9g Zoo-Blender kmz_ImportWithMesh.py 0.1.9f Zoo-Blender kmz_ImportWithMesh.py 0.1.9c Zoo-Blender kmz_ImportWithMesh.py 0.1.9b Pardus Linux 2007.1 Gentoo Linux Blender Blender 2.42a
Not Vulnerable:	Zoo-Blender kmz_ImportWithMesh.py 0.1.9h Blender Blender 2.43

Blender KMZ/KML Remote Command Execution Vulnerability

Blender is prone to a remote command-execution vulnerability.

An attacker could exploit this issue by enticing an unsuspecting victim to open a malicious file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user.

Blender KMZ/KML Remote Command Execution Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Blender KMZ/KML Remote Command Execution Vulnerability

Solution:
The vendor released an update to address this issue. Please see the references for more information.

Blender KMZ/KML Remote Command Execution Vulnerability

References:

• Blender Homepage (Blender)
  
• Blender KML/KMZ Import Command Injection Vulnerability (Secunia )
  
• Secunia Research: kmz_ImportWithMesh.py Script for Blender Command Injection (Secunia)