Bug#298167: blender: insecure writing to /tmp/quit.blender

[Bill Allombert]

Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security

Hello Masayuki,

It seems there is a trivially exploitable symlink attack in blender:

To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend

Blender quit
6) Now $HOME/foo has been written to.

Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):

        /* no undo state to save */
        if(undobase.first==undobase.last) return;

        BLI_make_file_string("/", str, U.tempdir, "quit.blend");

        file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
        if(file == -1) {
                printf("Unable to save %s\n", str);
                return;
        }

blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.

Cheers,
-- 
Bill. <[EMAIL PROTECTED]>

Imagine a large red swirl here. 

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)

Versions of packages blender depends on:
ii  gettext       0.14.1-10                  GNU Internationalization utilities
ii  gettext-base  0.14.1-10                  GNU Internationalization utilities
ii  libc6         2.3.2.ds1-20               GNU C Library: Shared libraries an
ii  libfreetype6  2.1.7-2.3                  FreeType 2 font engine, shared lib
ii  libgcc1       1:3.4.3-9                  GCC support library
ii  libjpeg62     6b-10                      The Independent JPEG Group's JPEG 
ii  libopenal0    0.2004090900-1.1           OpenAL is a portable library for 3
ii  libpng12-0    1.2.8rel-1                 PNG library - runtime
ii  libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii  libstdc++5    1:3.3.5-8                  The GNU Standard C++ Library v3
ii  libx11-6      4.3.0.dfsg.1-12.0.1        X Window System protocol client li
ii  python2.3     2.3.5-1                    An interactive high-level object-o
ii  xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1        Mesa 3D graphics library [XFree86]
ii  xlibmesa-glu  4.3.0.dfsg.1-12.0.1        Mesa OpenGL utility library [XFree
ii  xlibs         4.3.0.dfsg.1-12            X Keyboard Extension (XKB) configu
ii  zlib1g        1:1.2.2-4                  compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]