An insecure temporary file use flaw was found in the way 'undo save quit' routine of Blender kernel of Blender, a 3D modeling, animation, rendering and post-production software solution, performed management of 'quit.blend' temporary file, used for session recovery purposes. A local attacker could use this flaw to conduct symbolic link attacks, leading to ability to overwrite arbitrary system file, accessible with the privileges of the user running the blender executable. Upstream ticket: [1] https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498 References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621 This seems to be re-occurrence of the CVE-2008-1103 flaw: [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103 [4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103 [5] https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671 [6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167 Fedora / Fedora EPEL specific notes: ------------------------------------ blender-2.49b-8.el6 has (at source/blender/blenkernel/intern/blender.c): BLI_make_file_string("/", str, BLI_gethome(), ".blender/quit.blend"); [but this is only due / thanks to blender-2.49b-cve.patch.], while blender-2.59-5.fc16 and later has (source/blender/blenkernel/intern/blender.c): BLI_make_file_string("/", str, btempdir, "quit.blend"); again.
This issue affects the versions of the blender package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- This issue did NOT affect the versions of the blender package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they still contain the blender-2.49b-cve.patch patch).
Created blender tracking bugs for this issue Affects: fedora-all [bug 855093]
CVE Request: http://www.openwall.com/lists/oss-security/2012/09/06/3
This was assigned CVE-2012-4410: http://www.openwall.com/lists/oss-security/2012/09/06/5
blender-2.63a-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.59-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.63a-8.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.63a-9.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
The patch does not fix it in 2.63a-4.fc17. $ ln -s ~/foo.txt /tmp/quit.blend $ echo foo > ~/foo.txt $ file ~/foo.txt foo.txt: ASCII text $ blender connect failed: No such file or directory ndof: spacenavd not found Saved session recovery to /tmp/quit.blend Blender quit $ file ~/foo.txt foo.txt: Blender3D, saved as 32-bits little endian with version 2.63 Looking at the patch, it looks like open() will fail the first time because of the O_EXCL and the file exists, but then it gets rid of O_CREAT from the flags and tries again, and open() succeeds and it overwrites the file. Running through gdb it looks like this is what happens. If I rm ~/foo.txt and do it again, it won't create a new one, so I guess that's the only thing it's currently protecting against. I guess O_EXCL makes it fail the first time because of the symlink, and then it fails the next time because it doesn't exist and O_CREAT is gone.
CVE ID changed from CVE-2012-4410 to CVE-2010-5105: http://www.openwall.com/lists/oss-security/2012/09/07/13
I have done a test with blender-2.69 and it's look like that the issue doesn't exists since this release. So I want to close this bug.
Did you look at the code to see if something had been done to fix it? Last I checked (2.68 IIRC), nothing had. Is it possible you just have /proc/sys/fs/protected_symlinks [1][2] enabled in your kernel, which should mitigate this and basically just hide the problem? [1] - https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html [2] - https://lwn.net/Articles/503660/