Launchpad has imported 17 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=444535.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-04-28T22:16:05+00:00 Lubomir wrote: Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1103 to the following vulnerability: Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues." References: http://lists.opensuse.org/opensuse-security-announce/2008-04/msg00011.html http://www.securityfocus.com/bid/28936 Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/15 ------------------------------------------------------------------------ On 2008-05-07T09:46:22+00:00 Tomas wrote: Noted in SuSE advisory: Since we do not think that Blender is not used in security critical settings with network input data we fixed this problem only for future products. The temporary file issue is not currently fixed in SuSE packages. Further details regarding this are covered in Ubuntu and Debian bug reports: https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167 Problematic files in /tmp are: - /tmp/quit.blend - /tmp/0001.jpg, /tmp/0002.jpg, ... First issue seems to have been fixed in the past in Debian packages, first using O_EXCL in open(), later replaced with move of temporary directory to user's $HOME. Debian patches attached in following comments. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/24 ------------------------------------------------------------------------ On 2008-05-07T09:48:48+00:00 Tomas wrote: Created attachment 304747 First Debian patch Occurred in: http://packages.debian.org/changelogs/pool/main/b/blender/blender_2.45-5/changelog#versionversion2.36-1 Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/25 ------------------------------------------------------------------------ On 2008-05-07T09:50:30+00:00 Tomas wrote: Created attachment 304748 Second Debian patch Moves quit.blend to $HOME, first occurred in: http://packages.debian.org/changelogs/pool/main/b/blender/blender_2.45-5/changelog#versionversion2.37a-1 Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/26 ------------------------------------------------------------------------ On 2008-05-07T16:14:36+00:00 Jochen wrote: I have checkin blender-2.45rc3 on rawhide. On this version I could apply the first patch, but the second one failed. Perhaps anyone may have a look on it, bacause I have no idea how I should modified this patch for the next blender release. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/27 ------------------------------------------------------------------------ On 2008-05-07T16:33:59+00:00 Tomas wrote: Jochen, I believe either one of the Debian patches should be sufficient to address quit.blend issue. Does it also address the other issue with 000X.jpg? Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/28 ------------------------------------------------------------------------ On 2008-05-07T16:37:05+00:00 Jochen wrote: Maybe, Unfortunately, I'm unsure and have contact the updatream. I think, I should build a package for rawhinde with the first debian patch and wait on the response of the upstream. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/29 ------------------------------------------------------------------------ On 2008-05-07T17:51:56+00:00 Tomas wrote: Second issue -- /tmp/000X.jpg -- still affects new blender-2.45-14 packages, confirmed with blender-2.45-14.fc8. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/30 ------------------------------------------------------------------------ On 2008-06-09T15:47:28+00:00 Tomas wrote: Secunia assigned CVE id CVE-2008-1103 to the Multiple Temporary File Security Issues and the description is now available here: http://secunia.com/advisories/29842/ [ ... ] The security issues are caused due to Blender handling temporary files in an insecure manner (e.g. creating "/tmp/quit.blend" when quitting Blender, using easy to guess file names and insecure file permissions to store temporary render frames, and insecure file permission when auto saving files). This can be exploited to e.g. conduct symlink attacks and overwrite arbitrary files with the permissions of the user running Blender or disclose potentially sensitive information. Besides the two issue already described in the comment #1, there is the third issue covered by this CVE id: - insecure file permission for auto saved files Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/31 ------------------------------------------------------------------------ On 2009-01-15T15:54:56+00:00 Stefan wrote: There is still an issue with regards to the /tmp/000x.jpg files being created which could cause symlinks attacks. Is anyone addressing this or know if it has been addressed? Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/35 ------------------------------------------------------------------------ On 2009-01-15T19:09:54+00:00 Jochen wrote: I'm to get a anser of the bf-commiter mailing list. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/37 ------------------------------------------------------------------------ On 2009-01-15T19:11:30+00:00 Jochen wrote: Sorry, I would write: 'I'm trying to get an answer on the bf-commiter mailing list' Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/38 ------------------------------------------------------------------------ On 2009-01-15T19:17:53+00:00 Jochen wrote: I have got the following anser: "People can change the temp path in user settings if they disagree with the default value." But I think this is not the expected solution, so I have poke again on bf-commiters. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/39 ------------------------------------------------------------------------ On 2009-01-15T19:26:56+00:00 Stefan wrote: Thanks for chasing this Jochen. I agree with you, I don't think it is great default behaviour and default should be somewhere more sane. I also opened a bug on the blender bug tracker http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125 Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/40 ------------------------------------------------------------------------ On 2009-10-23T19:05:03+00:00 Red wrote: Reporter changed to security-response-t...@redhat.com by request of Jay Turner. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/44 ------------------------------------------------------------------------ On 2010-06-05T18:24:57+00:00 Jan wrote: Stefan, Jochen, (In reply to comment #16) > Thanks for chasing this Jochen. I agree with you, I don't think it is great > default behaviour and default should be somewhere more sane. > > I also opened a bug on the blender bug tracker > http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125 > Was this second issue solved yet? (I doesn't seem to be able to access above ticket, as getting "Invalid Artifact ID"). Thanks, Jan. Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/45 ------------------------------------------------------------------------ On 2010-06-07T11:48:03+00:00 Stefan wrote: Hi, Im not sure if this issue was ever solved. Don't remember getting an update, and I am getting the same error as you. I guess it doesn't help either that search is disabled... Stefan Reply at: https://bugs.launchpad.net/blender/+bug/6671/comments/46 ** Changed in: blender (Fedora) Status: Fix Committed => Invalid ** Changed in: blender (Fedora) Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/6671 Title: insecure file access (breezy, dapper, edgy, gutsy, hardy, intrepid) To manage notifications about this bug go to: https://bugs.launchpad.net/blender/+bug/6671/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs