file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
if(file == -1) { printf("Unable to save %s\n", str); return;
}
blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.
Versions of packages blender depends on:
ii gettext 0.14.1-10 GNU Internationalization utilities
ii gettext-base 0.14.1-10 GNU Internationalization utilities
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii python2.3 2.3.5-1 An interactive high-level object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-12.0.1 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security
Hello Masayuki,
It seems there is a trivially exploitable symlink attack in blender:
To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend
Blender quit
6) Now $HOME/foo has been written to.
Looking at the code: blender/ blenkernel/ intern/ blender. c line 666 (no joke):
./source/
/* no undo state to save */
if(undobase. first== undobase. last) return;
file = open(str, O_BINARY+ O_WRONLY+ O_CREAT+ O_TRUNC, 0666);
printf( "Unable to save %s\n", str);
return;
if(file == -1) {
}
blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.
Cheers,
--
Bill. <email address hidden>
Imagine a large red swirl here.
-- System Information: ISO-8859- 1)
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=
Versions of packages blender depends on: ation utilities ation utilities 2.8cvs20041007- 4.1 Simple DirectMedia Layer
ii gettext 0.14.1-10 GNU Internationaliz
ii gettext-base 0.14.1-10 GNU Internationaliz
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii python2.3 2.3.5-1 An interactive high-level object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-12.0.1 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information