Your message dated Tue, 5 Aug 2014 16:02:29 +0200 with message-id <20140805140229.ga5...@nx6125.studiovescovi.eu> and subject line Re: blender: possible symlink attack has caused the Debian Bug report #584621, regarding blender: possible symlink attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 584621: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: blender Version: 2.50~alpha~0~svn24834-2 Severity: normal Tags: security Forwarded: https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498 Blender is subject to symlink attack when the user closes the app without saving their changes. The consequences are that an attacker determined file owned by the victim is overwritten with a .blend file, destroying whatever data was in the file in the process. Version 2.49.2~dfsg-2 isn't vulnerable to this attack since it uses ~/.blender/quit.blend instead of /tmp/quit.blend. I would suggest this behaviour be restored before Blender 2.50 is released. pabs@chianamo:~$ sudo ln -s /home/pabs/foo /tmp/quit.blend [sudo] password for pabs: pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo ls: cannot access /home/pabs/foo: No such file or directory lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/fooo: ERROR: cannot open `/home/pabs/foo' (No such file or directory) pabs@chianamo:~$ blender Ob 'Camera' - Successfully removed 0 keyframes *bpy stats* - tot exec: 5728, tot run: 0.4375sec, average run: 0.000076sec, tot usage 1.4299% Saved session recovery to /tmp/quit.blend Blender quit pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo -rw-r----- 1 pabs pabs 78K Jun 5 13:53 /home/pabs/foo lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007 pabs@chianamo:~$ echo foo > /home/pabs/foo pabs@chianamo:~$ ls -l /tmp/quit.blend /home/pabs/foo -rw-r----- 1 pabs pabs 4 Jun 5 14:00 /home/pabs/foo lrwxrwxrwx 1 root root 14 Jun 5 13:51 /tmp/quit.blend -> /home/pabs/foo pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: ASCII text pabs@chianamo:~$ blender *bpy stats* - tot exec: 648, tot run: 0.0677sec, average run: 0.000104sec, tot usage 0.4556% Saved session recovery to /tmp/quit.blend Blender quit pabs@chianamo:~$ file /tmp/quit.blend /home/pabs/foo /tmp/quit.blend: symbolic link to `/home/pabs/foo' /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.50.0007 -- bye, pabs http://wiki.debian.org/PaulWisesignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Package: blender Version: 2.71+dfsg0-1 Followup-For: Bug #584621 Today I've contacted upstream developers (via IRC channel on Freenode) and asked about this long-lasting security bug. They pointed me to: https://developer.blender.org/rB367722470aa2eada43614cd558f468b4beea851d where it's clear that the issue has been fixed with that commit. So, I'm (finally) closing this bug report. Cheers. -- Matteo F. Vescovi | Debian Maintainer GnuPG KeyID: 4096R/0x8062398983B2CF7Asignature.asc
Description: Digital signature
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers