Bug 855092 - (CVE-2010-5105) CVE-2010-5105 blender: Insecure temporary file use by creating file string in undo save quit Blender kernel routine
CVE-2010-5105 blender: Insecure temporary file use by creating file string in...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20100605,reported=2...
: Security
Depends On: 855093
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-06 12:29 EDT by Jan Lieskovsky
Modified: 2014-11-20 15:13 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-28 15:30:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-09-06 12:29:43 EDT
An insecure temporary file use flaw was found in the way 'undo save quit' routine of Blender kernel of Blender, a 3D modeling, animation, rendering and post-production software solution, performed management of 'quit.blend' temporary file, used for session recovery purposes. A local attacker could use this flaw to conduct symbolic link attacks, leading to ability to overwrite arbitrary system file, accessible with the privileges of the user running the blender executable.

Upstream ticket:
[1] https://projects.blender.org/tracker/index.php?func=detail&aid=22509&group_id=9&atid=498

References:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584621

This seems to be re-occurrence of the CVE-2008-1103 flaw:
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103
[4] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-1103
[5] https://bugs.launchpad.net/ubuntu/+source/blender/+bug/6671
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167

Fedora / Fedora EPEL specific notes:
------------------------------------
blender-2.49b-8.el6 has (at source/blender/blenkernel/intern/blender.c):
  BLI_make_file_string("/", str, BLI_gethome(), ".blender/quit.blend");

[but this is only due / thanks to blender-2.49b-cve.patch.],

while blender-2.59-5.fc16 and later has (source/blender/blenkernel/intern/blender.c):
  BLI_make_file_string("/", str, btempdir, "quit.blend");

again.
Comment 1 Jan Lieskovsky 2012-09-06 12:36:33 EDT
This issue affects the versions of the blender package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue did NOT affect the versions of the blender package, as shipped with Fedora EPEL 5 and Fedora EPEL 6 (as they still contain the blender-2.49b-cve.patch patch).
Comment 2 Jan Lieskovsky 2012-09-06 12:37:25 EDT
Created blender tracking bugs for this issue

Affects: fedora-all [bug 855093]
Comment 3 Jan Lieskovsky 2012-09-06 12:45:14 EDT
CVE Request:
http://www.openwall.com/lists/oss-security/2012/09/06/3
Comment 4 Vincent Danen 2012-09-07 09:06:46 EDT
This was assigned CVE-2012-4410:

http://www.openwall.com/lists/oss-security/2012/09/06/5
Comment 5 Fedora Update System 2012-09-17 13:27:49 EDT
blender-2.63a-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-09-17 13:34:48 EDT
blender-2.59-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2012-09-17 18:33:00 EDT
blender-2.63a-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-09-17 19:01:39 EDT
blender-2.63a-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 David Walser 2012-11-02 11:32:34 EDT
The patch does not fix it in 2.63a-4.fc17.

$ ln -s ~/foo.txt /tmp/quit.blend
$ echo foo > ~/foo.txt
$ file ~/foo.txt
foo.txt: ASCII text
$ blender
connect failed: No such file or directory
ndof: spacenavd not found
Saved session recovery to /tmp/quit.blend

Blender quit
$ file ~/foo.txt
foo.txt: Blender3D, saved as 32-bits little endian with version 2.63


Looking at the patch, it looks like open() will fail the first time because of the O_EXCL and the file exists, but then it gets rid of O_CREAT from the flags and tries again, and open() succeeds and it overwrites the file.  Running through gdb it looks like this is what happens.

If I rm ~/foo.txt and do it again, it won't create a new one, so I guess that's the only thing it's currently protecting against.  I guess O_EXCL makes it fail the first time because of the symlink, and then it fails the next time because it doesn't exist and O_CREAT is gone.
Comment 10 Murray McAllister 2014-04-28 04:32:06 EDT
CVE ID changed from CVE-2012-4410 to CVE-2010-5105:

http://www.openwall.com/lists/oss-security/2012/09/07/13
Comment 11 Jochen Schmitt 2014-04-28 15:30:34 EDT
I have done a test with blender-2.69 and it's look like that the issue doesn't
exists since this release. So I want to close this bug.
Comment 12 David Walser 2014-04-28 16:06:44 EDT
Did you look at the code to see if something had been done to fix it?  Last I checked (2.68 IIRC), nothing had.  Is it possible you just have /proc/sys/fs/protected_symlinks [1][2] enabled in your kernel, which should mitigate this and basically just hide the problem?

[1] - https://lists.debian.org/debian-devel-announce/2014/03/msg00004.html
[2] - https://lwn.net/Articles/503660/

Note You need to log in before you can comment on or make changes to this bug.