Hi Paul, On 5 September 2012 16:23, Paul Wise <p...@debian.org> wrote: > Sorry I didn't notice this bug closing, but did you check that this > problem was fixed? It certainly is not fixed on wheezy (see below).
At the time of triaging this bug, I did a test and the bug did appear to me. But now I realize that it isn't fixed as I didn't understood the process to reproduce it (ie. I didn't create the symbolic link *before* running blender) > This bug has occurred and been fixed before (#298167) and it is a bit > disappointing that it was fixed in 2.37a-1 and then again by a different > maintainer and the maintainer after that didn't preserve those fixes. As far as i remember it as been dropped on 2.50-alpha because the debian patch was a bit hacky : - the blender executable was wrapped by a script that checked ~/.blender directory existence and created this directory otherwise. - there was also a debian patch that made blender save the quit.blend in the ~/.blender directory. I've spent some time and try to produce a decent patch without result and as i didn't manage to reproduce the bug, i didn't try further (my bad :-( ). > Security team, can we get a CVE assigned for this? Perhaps that would > get people to fix it for good. The consequences are arbitrary file > creation or overwrite on a multi-user system: > > pabs@chianamo ~ $ dpkg -l blender > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture > Description > +++-=============================-===================-===================-=============================================================== > ii blender 2.63a-1 amd64 > Very fast and versatile 3D modeller/renderer > pabs@chianamo ~ $ sudo ln -s /home/pabs/foo /tmp/quit.blend > pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo > ls: cannot access /home/pabs/foo: No such file or directory > lrwxrwxrwx 1 root root 14 Sep 5 22:01 /tmp/quit.blend -> /home/pabs/foo > pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo > /tmp/quit.blend: broken symbolic link to `/home/pabs/foo' > /home/pabs/foo: ERROR: cannot open `/home/pabs/foo' (No such file or > directory) > pabs@chianamo ~ $ blender > > Blender quit > pabs@chianamo ~ $ blender > Saved session recovery to /tmp/quit.blend > > Blender quit > pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo > -rw-r----- 1 pabs pabs 170K Sep 5 22:02 /home/pabs/foo > lrwxrwxrwx 1 root root 14 Sep 5 22:01 /tmp/quit.blend -> /home/pabs/foo > pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo > /tmp/quit.blend: symbolic link to `/home/pabs/foo' > /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.63 > pabs@chianamo ~ $ echo foo > /home/pabs/foo > pabs@chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo > -rw-r----- 1 pabs pabs 4 Sep 5 22:03 /home/pabs/foo > lrwxrwxrwx 1 root root 14 Sep 5 22:01 /tmp/quit.blend -> /home/pabs/foo > pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo > /tmp/quit.blend: symbolic link to `/home/pabs/foo' > /home/pabs/foo: ASCII text > pabs@chianamo ~ $ blender > Saved session recovery to /tmp/quit.blend > > Blender quit > pabs@chianamo ~ $ file /tmp/quit.blend /home/pabs/foo > /tmp/quit.blend: symbolic link to `/home/pabs/foo' > /home/pabs/foo: Blender3D, saved as 64-bits little endian with version 2.63 > -- Kevin Roy blog.knokorpo.fr _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
