Bug#584621: blender: possible symlink attack

Paul Wise Fri, 04 Jun 2010 23:30:23 -0700

Package: blender
Version: 2.50~alpha~0~svn24834-2
Severity: normal
Tags: security
Forwarded: 
https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498


Blender is subject to symlink attack when the user closes the app
without saving their changes. The consequences are that an attacker
determined file owned by the victim is overwritten with a .blend file,
destroying whatever data was in the file in the process.

Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses
~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this
behaviour be restored before Blender 2.50 is released.

p...@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend
[sudo] password for pabs: 
p...@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
p...@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory)
p...@chianamo:~$ blender 
Ob 'Camera' - Successfully removed 0 keyframes 
*bpy stats* - tot exec: 5728,  tot run: 0.4375sec,  average run: 0.000076sec,  
tot usage 1.4299%
Saved session recovery to /tmp/quit.blend

Blender quit
p...@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 78K Jun  5 13:53 /home/pabs/foo
lrwxrwxrwx 1 root root  14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
p...@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 
2.50.0007
p...@chianamo:~$ echo foo > /home/pabs/foo
p...@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs  4 Jun  5 14:00 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun  5 13:51 /tmp/quit.blend -> /home/pabs/foo
p...@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ASCII text
p...@chianamo:~$ blender 
*bpy stats* - tot exec: 648,  tot run: 0.0677sec,  average run: 0.000104sec,  
tot usage 0.4556%
Saved session recovery to /tmp/quit.blend

Blender quit
p...@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 
2.50.0007

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

Bug#584621: blender: possible symlink attack

Reply via email to