Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2010-5105 blender: Insecure temporary file use by creating file string in undo save quit Blender kernel routine|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||hobbes1069, jochen, jrusnack, kwizart, luigiwalser, mmcallis, promac|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-04-28 15:30:34 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||855093|
Description Jan Lieskovsky 2012-09-06 12:29:43 EDT
An insecure temporary file use flaw was found in the way 'undo save quit' routine of Blender kernel of Blender, a 3D modeling, animation, rendering and post-production software solution, performed management of 'quit.blend' temporary file, used for session recovery purposes. A local attacker could use this flaw to conduct symbolic link attacks, leading to ability to overwrite arbitrary system file, accessible with the privileges of the user running the blender executable. Upstream ticket:  https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498 References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621 This seems to be re-occurrence of the CVE-2008-1103 flaw:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103  https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167 Fedora / Fedora EPEL specific notes: ------------------------------------ blender-2.49b-8.el6 has (at source/blender/blenkernel/intern/blender.c): BLI_make_file_string("/", str, BLI_gethome(), ".blender/quit.blend"); [but this is only due / thanks to blender-2.49b-cve.patch.], while blender-2.59-5.fc16 and later has (source/blender/blenkernel/intern/blender.c): BLI_make_file_string("/", str, btempdir, "quit.blend"); again.
Comment 1 Jan Lieskovsky 2012-09-06 12:36:33 EDT
This issue affects the versions of the blender package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue did NOT affect the versions of the blender package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they still contain the blender-2.49b-cve.patch patch).
Comment 2 Jan Lieskovsky 2012-09-06 12:37:25 EDT
Created blender tracking bugs for this issue Affects: fedora-all [bug 855093]
Comment 3 Jan Lieskovsky 2012-09-06 12:45:14 EDT
Comment 4 Vincent Danen 2012-09-07 09:06:46 EDT
This was assigned CVE-2012-4410: http://www.openwall.com/lists/oss-security/2012/09/06/5
Comment 5 Fedora Update System 2012-09-17 13:27:49 EDT
blender-2.63a-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-09-17 13:34:48 EDT
blender-2.59-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-09-17 18:33:00 EDT
blender-2.63a-8.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-09-17 19:01:39 EDT
blender-2.63a-9.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 David Walser 2012-11-02 11:32:34 EDT
The patch does not fix it in 2.63a-4.fc17. $ ln -s ~/foo.txt /tmp/quit.blend $ echo foo > ~/foo.txt $ file ~/foo.txt foo.txt: ASCII text $ blender connect failed: No such file or directory ndof: spacenavd not found Saved session recovery to /tmp/quit.blend Blender quit $ file ~/foo.txt foo.txt: Blender3D, saved as 32-bits little endian with version 2.63 Looking at the patch, it looks like open() will fail the first time because of the O_EXCL and the file exists, but then it gets rid of O_CREAT from the flags and tries again, and open() succeeds and it overwrites the file. Running through gdb it looks like this is what happens. If I rm ~/foo.txt and do it again, it won't create a new one, so I guess that's the only thing it's currently protecting against. I guess O_EXCL makes it fail the first time because of the symlink, and then it fails the next time because it doesn't exist and O_CREAT is gone.
Comment 10 Murray McAllister 2014-04-28 04:32:06 EDT
CVE ID changed from CVE-2012-4410 to CVE-2010-5105: http://www.openwall.com/lists/oss-security/2012/09/07/13
Comment 11 Jochen Schmitt 2014-04-28 15:30:34 EDT
I have done a test with blender-2.69 and it's look like that the issue doesn't exists since this release. So I want to close this bug.
Comment 12 David Walser 2014-04-28 16:06:44 EDT
Did you look at the code to see if something had been done to fix it? Last I checked (2.68 IIRC), nothing had. Is it possible you just have /proc/sys/fs/protected_symlinks  enabled in your kernel, which should mitigate this and basically just hide the problem?  - https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html  - https://lwn.net/Articles/503660/