Fwd: Regarding CORE-2009-1209

19 views

Skip to first unread message

Reed Hedges

unread,

Mar 9, 2010, 7:53:49 AM3/9/10

to lib3ds

I received this email. I guess Google Sketchup uses lib3ds? And
there was some bug in Sketchup regarding parsing 3DS files? This is
my guess from quickly looking at his links, he gave no other
explanation for what the issue is or what the question is.

-------

Hi Reed,

this is due:
[1] http://www.coresecurity.com/content/google-sketchup-vulnerability
[2] http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0280

[1] in part "9. Report Timeline" mentions:

"2009-12-21: The Google Security team replies explaining that the
bug
is in a 3rd party library. They propose a tentative release date:
January 12th."

When looking at lib3ds issues:
[4] http://code.google.com/p/lib3ds/issues/list?can=1&q=&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles

there doesn't seem to be separate upstream lib3ds commit fixing this.

So, was this only Google SketchUp specific issue? (and no change is
required for upstream lib3ds)

Otherwise, could you point me to the relevant patch?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Reply all

Reply to author

Forward

0 new messages