Hi Paul. Paul Wise <p...@debian.org> (05/06/2010): > Package: blender > Version: 2.50~alpha~0~svn24834-2 > Severity: normal > Tags: security > Forwarded: > https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498
Requires authentication. Yay for closed projects. > Blender is subject to symlink attack when the user closes the app > without saving their changes. The consequences are that an attacker > determined file owned by the victim is overwritten with a .blend > file, destroying whatever data was in the file in the process. > > Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses > ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest > this behaviour be restored before Blender 2.50 is released. Known, see NEWS file: http://git.debian.org/?p=collab-maint/blender.git;a=blob;f=debian/NEWS;hb=experimental Mraw, KiBi.
signature.asc
Description: Digital signature
