Debian Bug report logs - #298167
blender: please revert writing quit.blend with O_EXCL and make U.tempdir default to a userdir instead

version graph

Package: blender; Maintainer for blender is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for blender is src:blender.

Reported by: Bill Allombert <ballombe@debian.org>

Date: Sat, 5 Mar 2005 10:18:01 UTC

Severity: wishlist

Tags: patch

Found in version 2.35-1.1

Fixed in version blender/2.37a-1

Done: Masayuki Hatta (mhatta) <mhatta@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#298167; Package blender. Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <ballombe@debian.org>:
New Bug report received and forwarded. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bill Allombert <ballombe@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: blender: insecure writing to /tmp/quit.blender
Date: Sat, 5 Mar 2005 11:11:13 +0100
Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security

Hello Masayuki,

It seems there is a trivially exploitable symlink attack in blender:

To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend

Blender quit
6) Now $HOME/foo has been written to.

Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):

        /* no undo state to save */
        if(undobase.first==undobase.last) return;

        BLI_make_file_string("/", str, U.tempdir, "quit.blend");

        file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
        if(file == -1) {
                printf("Unable to save %s\n", str);
                return;
        }

blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)

Versions of packages blender depends on:
ii  gettext       0.14.1-10                  GNU Internationalization utilities
ii  gettext-base  0.14.1-10                  GNU Internationalization utilities
ii  libc6         2.3.2.ds1-20               GNU C Library: Shared libraries an
ii  libfreetype6  2.1.7-2.3                  FreeType 2 font engine, shared lib
ii  libgcc1       1:3.4.3-9                  GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-8                  The GNU Standard C++ Library v3
ii  libx11-6      4.3.0.dfsg.1-12.0.1        X Window System protocol client li
ii  python2.3     2.3.5-1                    An interactive high-level object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1        Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-12.0.1        Mesa OpenGL utility library [XFree
ii  xlibs         4.3.0.dfsg.1-12            X Keyboard Extension (XKB) configu
ii  zlib1g        1:1.2.2-4                  compression library - runtime

-- no debconf information



Tags added: patch Request was from Justin Pryzby <justinpryzby@users.sourceforge.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Masayuki Hatta (mhatta) <mhatta@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bill Allombert <ballombe@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 298167-close@bugs.debian.org (full text, mbox):

From: Masayuki Hatta (mhatta) <mhatta@debian.org>
To: 298167-close@bugs.debian.org
Subject: Bug#298167: fixed in blender 2.36-1
Date: Thu, 10 Mar 2005 12:47:18 -0500
Source: blender
Source-Version: 2.36-1

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.36-1.diff.gz
  to pool/main/b/blender/blender_2.36-1.diff.gz
blender_2.36-1.dsc
  to pool/main/b/blender/blender_2.36-1.dsc
blender_2.36-1_i386.deb
  to pool/main/b/blender/blender_2.36-1_i386.deb
blender_2.36.orig.tar.gz
  to pool/main/b/blender/blender_2.36.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <mhatta@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Mar 2005 00:55:14 +0900
Source: blender
Binary: blender
Architecture: source i386
Version: 2.36-1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Masayuki Hatta (mhatta) <mhatta@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 285578 288882 288883 298167
Changes: 
 blender (2.36-1) unstable; urgency=high
 .
   * The "Back From The Gig" release.
   * Urgency is set to high, since this release fixes a security issue.  Woody doesn't have free Blender.
   * [02_fix_insecure_writing_to_quit_blend] added a dpatch to prevent a symlinkattack - closes: #298167
   * New upstream release - closes: #288883
   * Acknowledged NMU, sorry for delay and thanks guys - closes: #288882
   * Now fully updates the plugins every time blender is launched - closes: #285578
Files: 
 5c78abcbfe5277a84d951a345ca7c4ac 736 graphics optional blender_2.36-1.dsc
 8e2237c86b12e6061935632495aec875 6912828 graphics optional blender_2.36.orig.tar.gz
 5cb1bb355513b45b618f169544cc4029 12285 graphics optional blender_2.36-1.diff.gz
 95e3594d330cf86e15b873b02573e159 3932958 graphics optional blender_2.36-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCMIHBy2+jQOcHWlQRAg5KAKC/1/r5BnO6+d1aQPBZuF6AWZoXFACgoIDW
7zWzUMl5YFTOdWMR3OcatFM=
=kfjy
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Masayuki Hatta (mhatta) <mhatta@debian.org>:
Bug#298167; Package blender. Full text and rfc822 format available.

Acknowledgement sent to Martin Dickopp <martin@zero-based.org>:
Extra info received and forwarded to list. Copy sent to Masayuki Hatta (mhatta) <mhatta@debian.org>. Full text and rfc822 format available.

Message #17 received at 298167@bugs.debian.org (full text, mbox):

From: Martin Dickopp <martin@zero-based.org>
To: 298167@bugs.debian.org
Cc: control@bugs.debian.org, 298167-submitter@bugs.debian.org
Subject: Re: blender: insecure writing to /tmp/quit.blender
Date: Sat, 12 Mar 2005 21:30:10 +0100
reopen 298167
tags 298167 - security
severity 298167 wishlist
retitle 298167 blender: please revert writing quit.blend with O_EXCL and make U.tempdir default to a userdir instead
thanks


Hi,

Creating quit.blend with the O_EXCL flag has a major drawback: after the
file has been written for the first time, all further attempts to write
it again will fail. This makes the feature quite useless, IMHO.

A much better solution, IMHO, would be to make U.tempdir default to a
directory that is not world-writable, e.g. the user's home directory.
Note that the user can configure the value of U.tempdir within Blender,
so she or he can change it to a directory of her or his liking.

This solution would also be more robust with respect to future security
bugs, should future Blender versions use U.tempdir for other purposes
than just creating quit.blend there.

I therefore suggest replacing this code

        if (BLI_streq(U.tempdir, "/")) {
                char *tmp= getenv("TEMP");
                strcpy(U.tempdir, tmp?tmp:"/tmp/");
        }

with

        if (BLI_streq(U.tempdir, "/")) {
                strcpy(U.tempdir, BLI_gethome());
        }

in source/blender/src/usiblender.c.

Thanks,
Martin



Bug reopened, originator not changed. Request was from Martin Dickopp <martin@zero-based.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: security Request was from Martin Dickopp <martin@zero-based.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `wishlist'. Request was from Martin Dickopp <martin@zero-based.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Martin Dickopp <martin@zero-based.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Bill Allombert <ballombe@debian.org>:
Bug#298167. Full text and rfc822 format available.

Reply sent to Masayuki Hatta (mhatta) <mhatta@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Bill Allombert <ballombe@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #33 received at 298167-close@bugs.debian.org (full text, mbox):

From: Masayuki Hatta (mhatta) <mhatta@debian.org>
To: 298167-close@bugs.debian.org
Subject: Bug#298167: fixed in blender 2.37a-1
Date: Tue, 06 Sep 2005 23:02:07 -0700
Source: blender
Source-Version: 2.37a-1

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.37a-1.diff.gz
  to pool/main/b/blender/blender_2.37a-1.diff.gz
blender_2.37a-1.dsc
  to pool/main/b/blender/blender_2.37a-1.dsc
blender_2.37a-1_i386.deb
  to pool/main/b/blender/blender_2.37a-1_i386.deb
blender_2.37a.orig.tar.gz
  to pool/main/b/blender/blender_2.37a.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 298167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <mhatta@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  6 Sep 2005 17:52:51 +0900
Source: blender
Binary: blender
Architecture: source i386
Version: 2.37a-1
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Masayuki Hatta (mhatta) <mhatta@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 285577 298167 304567 313676 316524 319307
Changes: 
 blender (2.37a-1) unstable; urgency=low
 .
   * Works had been done at Codefest Asia 2005 in Colombo, Sri Lanka.
   * New upstream release - closes: #316524
   * Bumped Standards-Version 3.6.2.1 (no physical changes).
   * Now the package include blenderplayer - closes: #304567
   * Now it should be built on amd64 with gcc-4.0 - closes: #285577, #319307
   * Now quit.blend is created in the user's homedir - closes: #298167
   * Fixed de.po - closes: #313676
Files: 
 1cad4af1a7c382dac16d089a30bceea7 740 graphics optional blender_2.37a-1.dsc
 2af6afdb01c1d297c43602982d9a919c 7885589 graphics optional blender_2.37a.orig.tar.gz
 ae9f4939702135e2b738e26b88886736 3388 graphics optional blender_2.37a-1.diff.gz
 4a1b7a229e084686024e76545a00c91d 4239716 graphics optional blender_2.37a-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDHnxNy2+jQOcHWlQRAuMAAJ924sjh9SrQWhSMCvblyAHVdp3EtwCgoBHF
uk8ORn3vzHQbBGTJ97mI7WM=
=DBe9
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 07:58:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 09:49:26 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.