ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 6671] Re: insecure file access (breezy, dapper, edgy, gutsy, hardy, intrepid)

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Bug Watch Updater <6671@xxxxxxxxxxxxxxxxxx>
Date: Fri, 27 Oct 2017 12:11:54 -0000
Reply-to: Bug 6671 <6671@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Launchpad has imported 17 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=444535.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2008-04-28T22:16:05+00:00 Lubomir wrote:

Common Vulnerabilities and Exposures assigned an identifier
CVE-2008-1103 to the following vulnerability:

Multiple unspecified vulnerabilities in Blender have unknown impact and
attack vectors, related to "temporary file issues."

References:

http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00011.html
http://www.securityfocus.com/bid/28936

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/15

------------------------------------------------------------------------
On 2008-05-07T09:46:22+00:00 Tomas wrote:

Noted in SuSE advisory:

  Since we do not think that Blender is not used in security critical settings
  with network input data we fixed this problem only for future products.

The temporary file issue is not currently fixed in SuSE packages.


Further details regarding this are covered in Ubuntu and Debian bug reports:

https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167

Problematic files in /tmp are:
- /tmp/quit.blend
- /tmp/0001.jpg, /tmp/0002.jpg, ...


First issue seems to have been fixed in the past in Debian packages, first using
O_EXCL in open(), later replaced with move of temporary directory to user's
$HOME.  Debian patches attached in following comments.


Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/24

------------------------------------------------------------------------
On 2008-05-07T09:48:48+00:00 Tomas wrote:

Created attachment 304747
First Debian patch

Occurred in:

http://packages.debian.org/changelogs/pool/main/b/blender/blender_2.45-5/changelog#versionversion2.36-1

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/25

------------------------------------------------------------------------
On 2008-05-07T09:50:30+00:00 Tomas wrote:

Created attachment 304748
Second Debian patch

Moves quit.blend to $HOME, first occurred in:

http://packages.debian.org/changelogs/pool/main/b/blender/blender_2.45-5/changelog#versionversion2.37a-1

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/26

------------------------------------------------------------------------
On 2008-05-07T16:14:36+00:00 Jochen wrote:

I have checkin blender-2.45rc3 on rawhide. On this version I could apply the
first patch, but the second one failed. Perhaps anyone may have a look on it,
bacause I have no idea how I should modified this patch for the next blender
release.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/27

------------------------------------------------------------------------
On 2008-05-07T16:33:59+00:00 Tomas wrote:

Jochen, I believe either one of the Debian patches should be sufficient to
address quit.blend issue.  Does it also address the other issue with 000X.jpg?

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/28

------------------------------------------------------------------------
On 2008-05-07T16:37:05+00:00 Jochen wrote:

Maybe, Unfortunately, I'm unsure and have contact the updatream.

I think, I should build a package for rawhinde with the first debian patch and
wait on the response of the upstream.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/29

------------------------------------------------------------------------
On 2008-05-07T17:51:56+00:00 Tomas wrote:

Second issue -- /tmp/000X.jpg -- still affects new blender-2.45-14 packages,
confirmed with blender-2.45-14.fc8.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/30

------------------------------------------------------------------------
On 2008-06-09T15:47:28+00:00 Tomas wrote:

Secunia assigned CVE id CVE-2008-1103 to the Multiple Temporary File Security
Issues and the description is now available here:

  http://secunia.com/advisories/29842/

  [ ... ]

  The security issues are caused due to Blender handling temporary files in
  an insecure manner (e.g. creating "/tmp/quit.blend" when quitting Blender,
  using easy to guess file names and insecure file permissions to store
  temporary render frames, and insecure file permission when auto saving
  files). This can be exploited to e.g. conduct symlink attacks and overwrite
  arbitrary files with the permissions of the user running Blender or
  disclose potentially sensitive information.

Besides the two issue already described in the comment #1, there is the third
issue covered by this CVE id:

- insecure file permission for auto saved files


Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/31

------------------------------------------------------------------------
On 2009-01-15T15:54:56+00:00 Stefan wrote:

There is still an issue with regards to the /tmp/000x.jpg files being
created which could cause symlinks attacks. Is anyone addressing this or
know if it has been addressed?

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/35

------------------------------------------------------------------------
On 2009-01-15T19:09:54+00:00 Jochen wrote:

I'm to get a anser of the bf-commiter mailing list.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/37

------------------------------------------------------------------------
On 2009-01-15T19:11:30+00:00 Jochen wrote:

Sorry, I would write: 'I'm trying to get an answer on the bf-commiter
mailing list'

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/38

------------------------------------------------------------------------
On 2009-01-15T19:17:53+00:00 Jochen wrote:

I have got the following anser:

"People can change the temp path in user settings if they disagree with
the default value."

But I think this is not the expected solution, so I have poke again on
bf-commiters.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/39

------------------------------------------------------------------------
On 2009-01-15T19:26:56+00:00 Stefan wrote:

Thanks for chasing this Jochen. I agree with you, I don't think it is
great default behaviour and default should be somewhere more sane.

I also opened a bug on the blender bug tracker
http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/40

------------------------------------------------------------------------
On 2009-10-23T19:05:03+00:00 Red wrote:

Reporter changed to security-response-team@xxxxxxxxxx by request of Jay
Turner.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/44

------------------------------------------------------------------------
On 2010-06-05T18:24:57+00:00 Jan wrote:

Stefan, Jochen,

(In reply to comment #16)
> Thanks for chasing this Jochen. I agree with you, I don't think it is great
> default behaviour and default should be somewhere more sane.
> 
> I also opened a bug on the blender bug tracker
> http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125    

Was this second issue solved yet? (I doesn't seem to be able to access
above ticket, as getting "Invalid Artifact ID").

Thanks, Jan.

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/45

------------------------------------------------------------------------
On 2010-06-07T11:48:03+00:00 Stefan wrote:

Hi,

Im not sure if this issue was ever solved. Don't remember getting an
update, and I am getting the same error as you.  I guess it doesn't help
either that search is disabled...

Stefan

Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/46


** Changed in: blender (Fedora)
       Status: Fix Committed => Invalid

** Changed in: blender (Fedora)
   Importance: Unknown => Low

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to blender in Ubuntu.
Matching subscriptions: ubuntustudio-bugs: blender
https://bugs.launchpad.net/bugs/6671

Title:
  insecure file access (breezy, dapper, edgy, gutsy, hardy, intrepid)

Status in Blender:
  Incomplete
Status in blender package in Ubuntu:
  Fix Released
Status in blender package in Debian:
  Fix Released
Status in blender package in Fedora:
  Invalid

Bug description:
  Reproduced in versions:
      2.37a-1ubuntu1.1 (breezy?)
      2.41-1ubuntu4 (dapper)
      2.42a-linux-glibc232-py24-i386-static (blender.org binary)
      2.42a-1ubuntu1.1 (edgy)
      2.44-2ubuntu2 (gutsy)
      2.45-4ubuntu1 (hardy)
      2.46+dfsg-4 (intrepid)

  
  Blender writes to files in /tmp/ in an insecure fashion. For example, launching blender and then selecting "Render > Render Animation", writes to the file /tmp/0001.jpg.

  This can be exploited by a malicious user to overwrite arbitrary files
  of another user using blender:

  mallory@myhost$ ln -s /home/bob/thesis.tex /tmp/0001.jpg

To manage notifications about this bug go to:
https://bugs.launchpad.net/blender/+bug/6671/+subscriptions