Bug 855092 (CVE-2010-5105)

Summary: CVE-2010-5105 blender: Insecure temporary file use by creating file string in undo save quit Blender kernel routine
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hobbes1069, jochen, jrusnack, kwizart, luigiwalser, mmcallis, promac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-28 19:30:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 855093    
Bug Blocks:    

Description Jan Lieskovsky 2012-09-06 16:29:43 UTC 
An insecure temporary file use flaw was found in the way 'undo save quit' routine of Blender kernel of Blender, a 3D modeling, animation, rendering and post-production software solution, performed management of 'quit.blend' temporary file, used for session recovery purposes. A local attacker could use this flaw to conduct symbolic link attacks, leading to ability to overwrite arbitrary system file, accessible with the privileges of the user running the blender executable.

Upstream ticket:
[1] https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498

References:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621

This seems to be re-occurrence of the CVE-2008-1103 flaw:
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103
[4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103
[5] https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167

Fedora / Fedora EPEL specific notes:
------------------------------------
blender-2.49b-8.el6 has (at source/blender/blenkernel/intern/blender.c):
  BLI_make_file_string("/", str, BLI_gethome(), ".blender/quit.blend");

[but this is only due / thanks to blender-2.49b-cve.patch.],

while blender-2.59-5.fc16 and later has (source/blender/blenkernel/intern/blender.c):
  BLI_make_file_string("/", str, btempdir, "quit.blend");

again.
Comment 1 Jan Lieskovsky 2012-09-06 16:36:33 UTC 
This issue affects the versions of the blender package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue did NOT affect the versions of the blender package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they still contain the blender-2.49b-cve.patch patch).
Comment 2 Jan Lieskovsky 2012-09-06 16:37:25 UTC 
Created blender tracking bugs for this issue

Affects: fedora-all [bug 855093]
Comment 3 Jan Lieskovsky 2012-09-06 16:45:14 UTC 
CVE Request:
http://www.openwall.com/lists/oss-security/2012/09/06/3
Comment 4 Vincent Danen 2012-09-07 13:06:46 UTC 
This was assigned CVE-2012-4410:

http://www.openwall.com/lists/oss-security/2012/09/06/5
Comment 5 Fedora Update System 2012-09-17 17:27:49 UTC 
blender-2.63a-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-09-17 17:34:48 UTC 
blender-2.59-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-09-17 22:33:00 UTC 
blender-2.63a-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-09-17 23:01:39 UTC 
blender-2.63a-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 David Walser 2012-11-02 15:32:34 UTC 
The patch does not fix it in 2.63a-4.fc17.

$ ln -s ~/foo.txt /tmp/quit.blend
$ echo foo > ~/foo.txt
$ file ~/foo.txt
foo.txt: ASCII text
$ blender
connect failed: No such file or directory
ndof: spacenavd not found
Saved session recovery to /tmp/quit.blend

Blender quit
$ file ~/foo.txt
foo.txt: Blender3D, saved as 32-bits little endian with version 2.63


Looking at the patch, it looks like open() will fail the first time because of the O_EXCL and the file exists, but then it gets rid of O_CREAT from the flags and tries again, and open() succeeds and it overwrites the file.  Running through gdb it looks like this is what happens.

If I rm ~/foo.txt and do it again, it won't create a new one, so I guess that's the only thing it's currently protecting against.  I guess O_EXCL makes it fail the first time because of the symlink, and then it fails the next time because it doesn't exist and O_CREAT is gone.
Comment 10 Murray McAllister 2014-04-28 08:32:06 UTC 
CVE ID changed from CVE-2012-4410 to CVE-2010-5105:

http://www.openwall.com/lists/oss-security/2012/09/07/13
Comment 11 Jochen Schmitt 2014-04-28 19:30:34 UTC 
I have done a test with blender-2.69 and it's look like that the issue doesn't
exists since this release. So I want to close this bug.
Comment 12 David Walser 2014-04-28 20:06:44 UTC 
Did you look at the code to see if something had been done to fix it?  Last I checked (2.68 IIRC), nothing had.  Is it possible you just have /proc/sys/fs/protected_symlinks [1][2] enabled in your kernel, which should mitigate this and basically just hide the problem?

[1] - https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
[2] - https://lwn.net/Articles/503660/