Your message dated Tue, 06 Sep 2005 23:02:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#298167: fixed in blender 2.37a-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Mar 2005 10:11:25 +0000
>From [EMAIL PROTECTED] Sat Mar 05 02:11:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from lns-vlq-7-lil-82-254-199-25.adsl.proxad.net (yellowpig.yi.org)
[82.254.199.25] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D7WFo-0008Dc-00; Sat, 05 Mar 2005 02:11:24 -0800
Received: from bill by yellowpig.yi.org with local (Exim 3.35 #1 (Debian))
id 1D7WFf-0005Oh-00
for <[EMAIL PROTECTED]>; Sat, 05 Mar 2005 11:11:15 +0100
Date: Sat, 5 Mar 2005 11:11:13 +0100
From: Bill Allombert <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: blender: insecure writing to /tmp/quit.blender
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 3.8
Sender: Bill Allombert <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: blender
Version: 2.35-1.1
Severity: serious
Tags: security
Hello Masayuki,
It seems there is a trivially exploitable symlink attack in blender:
To reproduce:
1) ln -s $HOME/foo /tmp/quit.blend
2) run blender
3) Create some objects
4) quit blender
5) blender output:
Saved session recovery to /tmp/quit.blend
Blender quit
6) Now $HOME/foo has been written to.
Looking at the code:
./source/blender/blenkernel/intern/blender.c line 666 (no joke):
/* no undo state to save */
if(undobase.first==undobase.last) return;
BLI_make_file_string("/", str, U.tempdir, "quit.blend");
file = open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
if(file == -1) {
printf("Unable to save %s\n", str);
return;
}
blender needs to also set O_EXCL when opening the file to prevent
the symlink attack. However it seems a better fix to save this file
in $HOME/.blender: if several users run blender on the same machine,
only the first one will benefit of the /tmp/quit.blend.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=fr_FR, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Versions of packages blender depends on:
ii gettext 0.14.1-10 GNU Internationalization utilities
ii gettext-base 0.14.1-10 GNU Internationalization utilities
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libopenal0 0.2004090900-1.1 OpenAL is a portable library for 3
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsdl1.2debi 1.2.7+1.2.8cvs20041007-4.1 Simple DirectMedia Layer
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii python2.3 2.3.5-1 An interactive high-level object-o
ii xlibmesa-gl [ 4.3.0.dfsg.1-12.0.1 Mesa 3D graphics library [XFree86]
ii xlibmesa-glu 4.3.0.dfsg.1-12.0.1 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
---------------------------------------
Received: (at 298167-close) by bugs.debian.org; 7 Sep 2005 06:08:35 +0000
>From [EMAIL PROTECTED] Tue Sep 06 23:08:34 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1ECt0Z-0001Le-00; Tue, 06 Sep 2005 23:02:07 -0700
From: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#298167: fixed in blender 2.37a-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 06 Sep 2005 23:02:07 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: blender
Source-Version: 2.37a-1
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.37a-1.diff.gz
to pool/main/b/blender/blender_2.37a-1.diff.gz
blender_2.37a-1.dsc
to pool/main/b/blender/blender_2.37a-1.dsc
blender_2.37a-1_i386.deb
to pool/main/b/blender/blender_2.37a-1_i386.deb
blender_2.37a.orig.tar.gz
to pool/main/b/blender/blender_2.37a.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Masayuki Hatta (mhatta) <[EMAIL PROTECTED]> (supplier of updated blender
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 6 Sep 2005 17:52:51 +0900
Source: blender
Binary: blender
Architecture: source i386
Version: 2.37a-1
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
Changed-By: Masayuki Hatta (mhatta) <[EMAIL PROTECTED]>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 285577 298167 304567 313676 316524 319307
Changes:
blender (2.37a-1) unstable; urgency=low
.
* Works had been done at Codefest Asia 2005 in Colombo, Sri Lanka.
* New upstream release - closes: #316524
* Bumped Standards-Version 3.6.2.1 (no physical changes).
* Now the package include blenderplayer - closes: #304567
* Now it should be built on amd64 with gcc-4.0 - closes: #285577, #319307
* Now quit.blend is created in the user's homedir - closes: #298167
* Fixed de.po - closes: #313676
Files:
1cad4af1a7c382dac16d089a30bceea7 740 graphics optional blender_2.37a-1.dsc
2af6afdb01c1d297c43602982d9a919c 7885589 graphics optional
blender_2.37a.orig.tar.gz
ae9f4939702135e2b738e26b88886736 3388 graphics optional blender_2.37a-1.diff.gz
4a1b7a229e084686024e76545a00c91d 4239716 graphics optional
blender_2.37a-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDHnxNy2+jQOcHWlQRAuMAAJ924sjh9SrQWhSMCvblyAHVdp3EtwCgoBHF
uk8ORn3vzHQbBGTJ97mI7WM=
=DBe9
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
