After the recent security report by Cisco about integer overflow vulnerabilites in Blender, the Blender developers started working on the issues. Here's a report on the fixes.
Ton Roosendaal writes:
In the past 4 days Brecht Van Lommel has provided fixes for the vulnerabilities reported by Cisco in Blender.
The fixes were reviewed by the other core team members, especially by Campbell Barton and Sergey Sharybin.The 30+ commits with the fixes start with this log. Here is the link to all commit logs of this month, just scroll down to end.
In short; what's fixed is the vulnerability for integer overflows based on settings saved in .blend files, and vulnerabilities in our code for reading image files.
Please note it doesn't mean Blender is anything like "safe" now. It remains important to only open Blender files from trusted sources. We still think that real and sensible security (if you want .blend files safe to be spread anonymously) is a project with a magnitude that's outside of the scope of what we can handle. For that we welcome contributions from the industry!
A Blender 2.79a release is expected this month.
3 Comments
79a it is then.
I don't understand how the vulnerability works, but i hope it doesn't reduce performance by a large ammount
No, those fixes won't reduce performance in any noticeable way..
It's not an Intel's patch :D