CVE-2017-2903

An exploitable integer overflow exists in the DPX loading functionality of the Blender open-source 3d creation suite version 2.78c. A specially crafted '.cin' file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to use the file as an asset via the sequencer in order to trigger this vulnerability.

References

Affected packages

Git / github.com/blender/blender

Affected ranges

Type

GIT

Repo

https://github.com/blender/blender

Events

Introduced

Last affected

e92f235283071c13759bc4e6e861e4e938985307

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.78c"
        }
    ]
}

Affected versions

v2.*

v2.25

v2.26

v2.28

v2.28a

v2.28c

v2.30

v2.31

v2.31a

v2.32

v2.33

v2.33a

v2.34

v2.35

v2.35a

v2.37

v2.37a

v2.40

v2.42

v2.42a

v2.43

v2.44

v2.48

v2.48a

v2.55

v2.56a

v2.57

v2.57a

v2.57b

v2.58

v2.58a

v2.59

v2.60

v2.63

v2.66

v2.70-rc

v2.71-rc1

v2.72-rc1

v2.73-rc1

v2.74-rc1

v2.78

v2.78-rc1

v2.78-rc2

v2.78a

v2.78b

v2.78c

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-2903.json"