[Bf-committers] Patches for CVE-20008-1103

Cyril Brulebois kibi at debian.org
Wed May 7 18:54:30 CEST 2008

On 07/05/2008, Jochen Schmitt wrote:
> Hallo,


> I have found the following patch for CVE-2008-1103 from the debian
> project:

for some context, I was particularly thinking of this patch in
<20080504233226.GK20328 at evy.ikibiki.org>[1].

 1. http://lists.blender.org/pipermail/bf-committers/2008-May/020977.html

This patch has been floating around for a while. Relevant text of the
Debian changelog[2], and related bugreport[3]:
| blender  (2.36-1) unstable; urgency=high
| * [02_fix_insecure_writing_to_quit_blend] added a dpatch to prevent a symlinkattack - closes: #298167
| -- Masayuki Hatta (mhatta) <mhatta at debian.org>  Fri, 11 Mar 2005 00:55:14 +0900

 2. http://packages.debian.org/changelogs/pool/main/b/blender/blender_2.45-5/changelog
 3. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298167

> Unfortunately, I have no idea how I have to modified the second patch
> for applying on blender-2.45rc3.

I guess you mean 2.46rc3.

> I may be happy for any assistance.

Since the problem has been brought up publicly (I didn't know about the
CVE ID until you linked to it), I'll expose my thoughts: I was thinking
of playing around with TMP or TMPDIR so as to ensure that it points to a
subdirectory of user's $HOME, so that files are kept away from other
users. I was a bit surprized by the mechanism supposed to record the
temporary directory once for all, that's why I wanted to discuss it with
the developers before taking any action. Moving the temporary directory
to the user's $HOME would make in particular sure that no symlink attack
can happen, especially when mk*temp functions aren't used to create
temporary files (see the original bugreport).

It looks like some scripts also hardcode /tmp as temporary directory,
and don't use the secure functions for handling temporary files either.

My asking about the appropriate place where to discuss possible security
issues was in particular targeted as raising this particular point.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.blender.org/pipermail/bf-committers/attachments/20080507/2df17337/attachment.pgp 

More information about the Bf-committers mailing list