Ubuntu
blender package

Bug #6671
Comment #0

Comment 0 for bug 6671

Revision history for this message

In Debian Bug tracker #298167, Bill Allombert (ballombe) wrote on 2005-03-05: blender: insecure writing to /tmp/quit.blender

Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security

Hello Masayuki,

It seems there is a trivially exploitable symlink attack in blender:

To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend

Blender quit
6) Now $HOME/foo has been written to.

Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):

/* no undo state to save */
if(undobase.first==undobase.last) return;

BLI_make_file_string("/", str, U.tempdir, "quit.blend");

        file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
        if(file == -1) {
                printf("Unable to save %s\n", str);
                return;
        }

blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.

Cheers,
--
Bill. <email address hidden>

Imagine a large red swirl here.

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)

Versions of packages blender depends on:
ii gettext 0.14.1-10 GNU Internationalization utilities
ii gettext-base 0.14.1-10 GNU Internationalization utilities
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii python2.3 2.3.5-1 An interactive high-level object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-12.0.1 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime

-- no debconf information

Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security

Hello Masayuki,

It seems there is a trivially exploitable symlink attack in blender:

To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend

Blender quit
6) Now $HOME/foo has been written to.

Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):

/* no undo state to save */
        if(undobase.first==undobase.last) return;

BLI_make_file_string("/", str, U.tempdir, "quit.blend");

file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
        if(file == -1) {
                printf("Unable to save %s\n", str);
                return;
        }

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)

Versions of packages blender depends on:
ii  gettext       0.14.1-10                  GNU Internationalization utilities
ii  gettext-base  0.14.1-10                  GNU Internationalization utilities
ii  libc6         2.3.2.ds1-20               GNU C Library: Shared libraries an
ii  libfreetype6  2.1.7-2.3                  FreeType 2 font engine, shared lib
ii  libgcc1       1:3.4.3-9                  GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-8                  The GNU Standard C++ Library v3
ii  libx11-6      4.3.0.dfsg.1-12.0.1        X Window System protocol client li
ii  python2.3     2.3.5-1                    An interactive high-level object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1        Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-12.0.1        Mesa OpenGL utility library [XFree
ii  xlibs         4.3.0.dfsg.1-12            X Keyboard Extension (XKB) configu
ii  zlib1g        1:1.2.2-4                  compression library - runtime

-- no debconf information

Ubuntublender package

Comment 0 for bug 6671

Ubuntu
blender package