Red Hat Bugzilla – Bug 855092
CVE-2010-5105 blender: Insecure temporary file use by creating file string in undo save quit Blender kernel routine
Last modified: 2014-11-20 15:13:06 EST
An insecure temporary file use flaw was found in the way 'undo save quit' routine of Blender kernel of Blender, a 3D modeling, animation, rendering and post-production software solution, performed management of 'quit.blend' temporary file, used for session recovery purposes. A local attacker could use this flaw to conduct symbolic link attacks, leading to ability to overwrite arbitrary system file, accessible with the privileges of the user running the blender executable.
This seems to be re-occurrence of the CVE-2008-1103 flaw:
Fedora / Fedora EPEL specific notes:
blender-2.49b-8.el6 has (at source/blender/blenkernel/intern/blender.c):
BLI_make_file_string("/", str, BLI_gethome(), ".blender/quit.blend");
[but this is only due / thanks to blender-2.49b-cve.patch.],
while blender-2.59-5.fc16 and later has (source/blender/blenkernel/intern/blender.c):
BLI_make_file_string("/", str, btempdir, "quit.blend");
This issue affects the versions of the blender package, as shipped with Fedora release of 16 and 17. Please schedule an update.
This issue did NOT affect the versions of the blender package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they still contain the blender-2.49b-cve.patch patch).
Created blender tracking bugs for this issue
Affects: fedora-all [bug 855093]
This was assigned CVE-2012-4410:
blender-2.63a-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.59-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.63a-8.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
blender-2.63a-9.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
The patch does not fix it in 2.63a-4.fc17.
$ ln -s ~/foo.txt /tmp/quit.blend
$ echo foo > ~/foo.txt
$ file ~/foo.txt
foo.txt: ASCII text
connect failed: No such file or directory
ndof: spacenavd not found
Saved session recovery to /tmp/quit.blend
$ file ~/foo.txt
foo.txt: Blender3D, saved as 32-bits little endian with version 2.63
Looking at the patch, it looks like open() will fail the first time because of the O_EXCL and the file exists, but then it gets rid of O_CREAT from the flags and tries again, and open() succeeds and it overwrites the file. Running through gdb it looks like this is what happens.
If I rm ~/foo.txt and do it again, it won't create a new one, so I guess that's the only thing it's currently protecting against. I guess O_EXCL makes it fail the first time because of the symlink, and then it fails the next time because it doesn't exist and O_CREAT is gone.
CVE ID changed from CVE-2012-4410 to CVE-2010-5105:
I have done a test with blender-2.69 and it's look like that the issue doesn't
exists since this release. So I want to close this bug.
Did you look at the code to see if something had been done to fix it? Last I checked (2.68 IIRC), nothing had. Is it possible you just have /proc/sys/fs/protected_symlinks  enabled in your kernel, which should mitigate this and basically just hide the problem?
 - https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
 - https://lwn.net/Articles/503660/