Your message dated Thu, 10 Mar 2005 12:47:18 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#298167: fixed in blender 2.36-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Mar 2005 10:11:25 +0000
>From [EMAIL PROTECTED] Sat Mar 05 02:11:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from lns-vlq-7-lil-82-254-199-25.adsl.proxad.net (yellowpig.yi.org)
[82.254.199.25] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D7WFo-0008Dc-00; Sat, 05 Mar 2005 02:11:24 -0800
Received: from bill by yellowpig.yi.org with local (Exim 3.35 #1 (Debian))
id 1D7WFf-0005Oh-00
for <[EMAIL PROTECTED]>; Sat, 05 Mar 2005 11:11:15 +0100
Date: Sat, 5 Mar 2005 11:11:13 +0100
From: Bill Allombert <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: blender: insecure writing to /tmp/quit.blender
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 3.8
Sender: Bill Allombert <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security
Hello Masayuki,
It seems there is a trivially exploitable symlink attack in blender:
To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend
Blender quit
6) Now $HOME/foo has been written to.
Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):
/* no undo state to save */
if(undobase.first==undobase.last) return;
BLI_make_file_string("/", str, U.tempdir, "quit.blend");
file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
if(file == -1) {
printf("Unable to save %s\n", str);
return;
}
blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Versions of packages blender depends on:
ii gettext 0.14.1-10 GNU Internationalization utilities
ii gettext-base 0.14.1-10 GNU Internationalization utilities
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii python2.3 2.3.5-1 An interactive high-level object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-12.0.1 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
---------------------------------------
Received: (at 298167-close) by bugs.debian.org; 10 Mar 2005 17:53:09 +0000
>From [EMAIL PROTECTED] Thu Mar 10 09:53:09 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D9RqP-00044S-00; Thu, 10 Mar 2005 09:53:09 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1D9Rkk-0004rc-00; Thu, 10 Mar 2005 12:47:18 -0500
From: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#298167: fixed in blender 2.36-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 10 Mar 2005 12:47:18 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 4
Source: blender
Source-Version: 2.36-1
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.36-1.diff.gz
to pool/main/b/blender/blender_2.36-1.diff.gz
blender_2.36-1.dsc
to pool/main/b/blender/blender_2.36-1.dsc
blender_2.36-1_i386.deb
to pool/main/b/blender/blender_2.36-1_i386.deb
blender_2.36.orig.tar.gz
to pool/main/b/blender/blender_2.36.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <[EMAIL PROTECTED]> (supplier of updated blender
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 11 Mar 2005 00:55:14 +0900
Source: blender
Binary: blender
Architecture: source i386
Version: 2.36-1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
Changed-By: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 285578 288882 288883 298167
Changes:
blender (2.36-1) unstable; urgency=high
.
* The "Back From The Gig" release.
* Urgency is set to high, since this release fixes a security issue. Woody
doesn't have free Blender.
* [02_fix_insecure_writing_to_quit_blend] added a dpatch to prevent a
symlinkattack - closes: #298167
* New upstream release - closes: #288883
* Acknowledged NMU, sorry for delay and thanks guys - closes: #288882
* Now fully updates the plugins every time blender is launched - closes:
#285578
Files:
5c78abcbfe5277a84d951a345ca7c4ac 736 graphics optional blender_2.36-1.dsc
8e2237c86b12e6061935632495aec875 6912828 graphics optional
blender_2.36.orig.tar.gz
5cb1bb355513b45b618f169544cc4029 12285 graphics optional blender_2.36-1.diff.gz
95e3594d330cf86e15b873b02573e159 3932958 graphics optional
blender_2.36-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCMIHBy2+jQOcHWlQRAg5KAKC/1/r5BnO6+d1aQPBZuF6AWZoXFACgoIDW
7zWzUMl5YFTOdWMR3OcatFM=
=kfjy
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
