Bug 444535 (CVE-2008-1103) - CVE-2008-1103 Blender insecure temporary file usage
Summary: CVE-2008-1103 Blender insecure temporary file usage
Alias: CVE-2008-1103
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2008-04-28 22:16 UTC by Red Hat Product Security
Modified: 2016-06-10 20:31 UTC (History)
3 users (show)

Clone Of:
Last Closed: 2016-06-10 20:31:31 UTC

Attachments (Terms of Use)
First Debian patch (605 bytes, patch)
2008-05-07 09:48 UTC, Tomas Hoger
no flags Details | Diff
Second Debian patch (575 bytes, patch)
2008-05-07 09:50 UTC, Tomas Hoger
no flags Details | Diff

Description Lubomir Kundrak 2008-04-28 22:16:05 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1103 to the following vulnerability:

Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues."



Comment 1 Tomas Hoger 2008-05-07 09:46:22 UTC
Noted in SuSE advisory:

  Since we do not think that Blender is not used in security critical settings
  with network input data we fixed this problem only for future products.

The temporary file issue is not currently fixed in SuSE packages.

Further details regarding this are covered in Ubuntu and Debian bug reports:


Problematic files in /tmp are:
- /tmp/quit.blend
- /tmp/0001.jpg, /tmp/0002.jpg, ...

First issue seems to have been fixed in the past in Debian packages, first using
O_EXCL in open(), later replaced with move of temporary directory to user's
$HOME.  Debian patches attached in following comments.

Comment 3 Tomas Hoger 2008-05-07 09:50:30 UTC
Created attachment 304748 [details]
Second Debian patch

Moves quit.blend to $HOME, first occurred in:


Comment 4 Jochen Schmitt 2008-05-07 16:14:36 UTC
I have checkin blender-2.45rc3 on rawhide. On this version I could apply the
first patch, but the second one failed. Perhaps anyone may have a look on it,
bacause I have no idea how I should modified this patch for the next blender

Comment 5 Tomas Hoger 2008-05-07 16:33:59 UTC
Jochen, I believe either one of the Debian patches should be sufficient to
address quit.blend issue.  Does it also address the other issue with 000X.jpg?

Comment 6 Jochen Schmitt 2008-05-07 16:37:05 UTC
Maybe, Unfortunately, I'm unsure and have contact the updatream.

I think, I should build a package for rawhinde with the first debian patch and
wait on the response of the upstream.

Comment 8 Tomas Hoger 2008-05-07 17:51:56 UTC
Second issue -- /tmp/000X.jpg -- still affects new blender-2.45-14 packages,
confirmed with blender-2.45-14.fc8.

Comment 11 Tomas Hoger 2008-06-09 15:47:28 UTC
Secunia assigned CVE id CVE-2008-1103 to the Multiple Temporary File Security
Issues and the description is now available here:


  [ ... ]

  The security issues are caused due to Blender handling temporary files in
  an insecure manner (e.g. creating "/tmp/quit.blend" when quitting Blender,
  using easy to guess file names and insecure file permissions to store
  temporary render frames, and insecure file permission when auto saving
  files). This can be exploited to e.g. conduct symlink attacks and overwrite
  arbitrary files with the permissions of the user running Blender or
  disclose potentially sensitive information.

Besides the two issue already described in the comment #1, there is the third
issue covered by this CVE id:

- insecure file permission for auto saved files

Comment 12 Stefan Lesicnik 2009-01-15 15:54:56 UTC
There is still an issue with regards to the /tmp/000x.jpg files being created which could cause symlinks attacks. Is anyone addressing this or know if it has been addressed?

Comment 13 Jochen Schmitt 2009-01-15 19:09:54 UTC
I'm to get a anser of the bf-commiter mailing list.

Comment 14 Jochen Schmitt 2009-01-15 19:11:30 UTC
Sorry, I would write: 'I'm trying to get an answer on the bf-commiter mailing list'

Comment 15 Jochen Schmitt 2009-01-15 19:17:53 UTC
I have got the following anser:

"People can change the temp path in user settings if they disagree with the default value."

But I think this is not the expected solution, so I have poke again on bf-commiters.

Comment 16 Stefan Lesicnik 2009-01-15 19:26:56 UTC
Thanks for chasing this Jochen. I agree with you, I don't think it is great default behaviour and default should be somewhere more sane.

I also opened a bug on the blender bug tracker http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125

Comment 17 Red Hat Bugzilla 2009-10-23 19:05:03 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Comment 18 Jan Lieskovsky 2010-06-05 18:24:57 UTC
Stefan, Jochen,

(In reply to comment #16)
> Thanks for chasing this Jochen. I agree with you, I don't think it is great
> default behaviour and default should be somewhere more sane.
> I also opened a bug on the blender bug tracker
> http://projects.blender.org/tracker/index.php?func=detail&aid=18174&group_id=9&atid=125    

Was this second issue solved yet? (I doesn't seem to be able to access
above ticket, as getting "Invalid Artifact ID").

Thanks, Jan.

Comment 19 Stefan Lesicnik 2010-06-07 11:48:03 UTC

Im not sure if this issue was ever solved. Don't remember getting an update, and I am getting the same error as you.  I guess it doesn't help either that search is disabled...


Note You need to log in before you can comment on or make changes to this bug.