Debian Bug report logs - #584621
blender: possible symlink attack

version graph

Package: blender; Maintainer for blender is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for blender is src:blender.

Reported by: Paul Wise <pabs@debian.org>

Date: Sat, 5 Jun 2010 06:30:02 UTC

Severity: normal

Tags: security

Found in versions blender/2.50~alpha~0~svn24834-2, blender/2.63a-1

Forwarded to https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Cyril Brulebois <kibi@debian.org>:
Bug#584621; Package blender. (Sat, 05 Jun 2010 06:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Cyril Brulebois <kibi@debian.org>. (Sat, 05 Jun 2010 06:30:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: blender: possible symlink attack
Date: Sat, 05 Jun 2010 14:27:01 +0800
[Message part 1 (text/plain, inline)]
Package: blender
Version: 2.50~alpha~0~svn24834-2
Severity: normal
Tags: security
Forwarded: https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498

Blender is subject to symlink attack when the user closes the app
without saving their changes. The consequences are that an attacker
determined file owned by the victim is overwritten with a .blend file,
destroying whatever data was in the file in the process.

Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses
~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this
behaviour be restored before Blender 2.50 is released.

pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend
[sudo] password for pabs: 
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory)
pabs@chianamo:~$ blender 
Ob 'Camera' - Successfully removed 0 keyframes 
*bpy stats* - tot exec: 5728,  tot run: 0.4375sec,  average run: 0.000076sec,  tot usage 1.4299%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 78K Jun  5 13:53 /home/pabs/foo
lrwxrwxrwx 1 root root  14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.50.0007
pabs@chianamo:~$ echo foo > /home/pabs/foo
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs  4 Jun  5 14:00 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ASCII text
pabs@chianamo:~$ blender 
*bpy stats* - tot exec: 648,  tot run: 0.0677sec,  average run: 0.000104sec,  tot usage 0.4556%
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.50.0007

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#584621; Package blender. (Sat, 05 Jun 2010 09:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. (Sat, 05 Jun 2010 09:45:06 GMT) Full text and rfc822 format available.

Message #10 received at 584621@bugs.debian.org (full text, mbox):

From: Cyril Brulebois <kibi@debian.org>
To: Paul Wise <pabs@debian.org>, 584621@bugs.debian.org
Subject: Re: Bug#584621: blender: possible symlink attack
Date: Sat, 5 Jun 2010 11:43:52 +0200
[Message part 1 (text/plain, inline)]
Hi Paul.

Paul Wise <pabs@debian.org> (05/06/2010):
> Package: blender
> Version: 2.50~alpha~0~svn24834-2
> Severity: normal
> Tags: security
> Forwarded: https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498

Requires authentication. Yay for closed projects.

> Blender is subject to symlink attack when the user closes the app
> without saving their changes. The consequences are that an attacker
> determined file owned by the victim is overwritten with a .blend
> file, destroying whatever data was in the file in the process.
> 
> Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses
> ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest
> this behaviour be restored before Blender 2.50 is released.

Known, see NEWS file:
  http://git.debian.org/?p=collab-maint/blender.git;a=blob;f=debian/NEWS;hb=experimental

Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]

Reply sent to "Matteo F. Vescovi" <mfv.debian@gmail.com>:
You have taken responsibility. (Thu, 05 Jan 2012 11:51:03 GMT) Full text and rfc822 format available.

Notification sent to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer. (Thu, 05 Jan 2012 11:51:12 GMT) Full text and rfc822 format available.

Message #15 received at 584621-done@bugs.debian.org (full text, mbox):

From: "Matteo F. Vescovi" <mfv.debian@gmail.com>
To: 584621-done@bugs.debian.org
Subject: Re: blender: possible symlink attack
Date: Thu, 05 Jan 2012 12:48:51 +0100
Package: blender
Version: 2.61-1

Closing.
Feel free to re-open the report if the issue persists.

Thanks for your time and efforts.

-- 
Matteo F. Vescovi
Debian Sponsored Maintainer
e-mail: mfv.debian@gmail.com
GnuPG KeyID: 1E9C4467




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 08 Feb 2012 07:36:02 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Wed, 05 Sep 2012 13:54:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#584621; Package blender. (Wed, 05 Sep 2012 14:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 05 Sep 2012 14:27:09 GMT) Full text and rfc822 format available.

Message #24 received at 584621@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: "Matteo F. Vescovi" <mfv.debian@gmail.com>
Cc: 584621@bugs.debian.org, Debian Security <security@debian.org>
Subject: Re: blender: possible symlink attack
Date: Wed, 05 Sep 2012 22:23:58 +0800
[Message part 1 (text/plain, inline)]
Control: reopen -1
Control: found -1 2.63a-1

On Thu, 2012-01-05 at 12:48 +0100, Matteo F. Vescovi wrote:

> Version: 2.61-1
> 
> Closing.
> Feel free to re-open the report if the issue persists.
> 
> Thanks for your time and efforts.

Sorry I didn't notice this bug closing, but did you check that this
problem was fixed? It certainly is not fixed on wheezy (see below).

This bug has occurred and been fixed before (#298167) and it is a bit
disappointing that it was fixed in 2.37a-1 and then again by a different
maintainer and the maintainer after that didn't preserve those fixes.
Security team, can we get a CVE assigned for this? Perhaps that would
get people to fix it for good. The consequences are arbitrary file
creation or overwrite on a multi-user system:

pabs@chianamo ~ $ dpkg -l blender 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                          Version             Architecture        Description
+++-=============================-===================-===================-===============================================================
ii  blender                       2.63a-1             amd64               Very fast and versatile 3D modeller/renderer
pabs@chianamo ~ $ sudo ln -s /home/pabs/foo /tmp/quit.blend
pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: broken symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ERROR: cannot open `/home/pabs/foo' (No such file or directory)
pabs@chianamo ~ $ blender 

Blender quit
pabs@chianamo ~ $ blender 
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 170K Sep  5 22:02 /home/pabs/foo
lrwxrwxrwx 1 root root   14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
pabs@chianamo ~ $ echo foo > /home/pabs/foo
pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs  4 Sep  5 22:03 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ASCII text
pabs@chianamo ~ $ blender 
Saved session recovery to /tmp/quit.blend

Blender quit
pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Bug reopened Request was from Paul Wise <pabs@debian.org> to 584621-submit@bugs.debian.org. (Wed, 05 Sep 2012 14:27:09 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions blender/2.61-1. Request was from Paul Wise <pabs@debian.org> to 584621-submit@bugs.debian.org. (Wed, 05 Sep 2012 14:27:09 GMT) Full text and rfc822 format available.

Marked as found in versions blender/2.63a-1. Request was from Paul Wise <pabs@debian.org> to 584621-submit@bugs.debian.org. (Wed, 05 Sep 2012 14:27:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#584621; Package blender. (Thu, 06 Sep 2012 10:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kevin Roy <kiniou@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Thu, 06 Sep 2012 10:27:06 GMT) Full text and rfc822 format available.

Message #35 received at 584621@bugs.debian.org (full text, mbox):

From: Kevin Roy <kiniou@gmail.com>
To: Paul Wise <pabs@debian.org>, 584621@bugs.debian.org
Cc: "Matteo F. Vescovi" <mfv.debian@gmail.com>, Debian Security <security@debian.org>
Subject: Re: Bug#584621: blender: possible symlink attack
Date: Thu, 6 Sep 2012 12:24:13 +0200
Hi Paul,

On 5 September 2012 16:23, Paul Wise <pabs@debian.org> wrote:
> Sorry I didn't notice this bug closing, but did you check that this
> problem was fixed? It certainly is not fixed on wheezy (see below).

At the time of triaging this bug, I did a test and the bug did appear to me.
But now I realize that it isn't fixed as I didn't understood the
process to reproduce it (ie. I didn't create the symbolic link
*before* running blender)

> This bug has occurred and been fixed before (#298167) and it is a bit
> disappointing that it was fixed in 2.37a-1 and then again by a different
> maintainer and the maintainer after that didn't preserve those fixes.

As far as i remember it as been dropped on 2.50-alpha because the
debian patch was a bit hacky :
 - the blender executable was wrapped by a script that checked
~/.blender directory existence and created this directory otherwise.
 - there was also a debian patch that made blender save the quit.blend
in the ~/.blender directory.
I've spent some time and try to produce a decent patch without result
and as i didn't manage to reproduce the bug, i didn't try further (my
bad :-( ).

> Security team, can we get a CVE assigned for this? Perhaps that would
> get people to fix it for good. The consequences are arbitrary file
> creation or overwrite on a multi-user system:
>
> pabs@chianamo ~ $ dpkg -l blender
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                          Version             Architecture        Description
> +++-=============================-===================-===================-===============================================================
> ii  blender                       2.63a-1             amd64               Very fast and versatile 3D modeller/renderer
> pabs@chianamo ~ $ sudo ln -s /home/pabs/foo /tmp/quit.blend
> pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> ls: cannot access /home/pabs/foo: No such file or directory
> lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: broken symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  ERROR: cannot open `/home/pabs/foo' (No such file or directory)
> pabs@chianamo ~ $ blender
>
> Blender quit
> pabs@chianamo ~ $ blender
> Saved session recovery to /tmp/quit.blend
>
> Blender quit
> pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> -rw-r----- 1 pabs pabs 170K Sep  5 22:02 /home/pabs/foo
> lrwxrwxrwx 1 root root   14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
> pabs@chianamo ~ $ echo foo > /home/pabs/foo
> pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> -rw-r----- 1 pabs pabs  4 Sep  5 22:03 /home/pabs/foo
> lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  ASCII text
> pabs@chianamo ~ $ blender
> Saved session recovery to /tmp/quit.blend
>
> Blender quit
> pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
>

--
Kevin Roy
blog.knokorpo.fr



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 17:07:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.