[Bf-committers] Patches for CVE-20008-1103

[Jochen Schmitt]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 07 May 2008 18:54:30 +0200, you wrote:

>Since the problem has been brought up publicly (I didn't know about the
>CVE ID until you linked to it), I'll expose my thoughts: I was thinking

The link is:

http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2008-1103&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P)

>of playing around with TMP or TMPDIR so as to ensure that it points to a
>subdirectory of user's $HOME, so that files are kept away from other
>users. I was a bit surprized by the mechanism supposed to record the
>temporary directory once for all, that's why I wanted to discuss it with
>the developers before taking any action. Moving the temporary directory
>to the user's $HOME would make in particular sure that no symlink attack
>can happen, especially when mk*temp functions aren't used to create
>temporary files (see the original bugreport).
>
>It looks like some scripts also hardcode /tmp as temporary directory,
>and don't use the secure functions for handling temporary files either.
>
>My asking about the appropriate place where to discuss possible security
>issues was in particular targeted as raising this particular point.

I interessting for patches to solve this issue in 2.45 and
2.45rc3 or finale because I'm the maintainer of the blender
package in the Fedora project.

I have created partional patched version of the packages for the
Fedora project.

Best Regards:

Jochen Schmitt

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
Charset: us-ascii

wj8DBQFIIf5+T2AHK6txfgwRAtjMAKDpEU/CrEqCUWK3uCiwgVW/gG61+gCgxiVy
BktG02n2gSnrrEDhhKwpAq4=
=LPGs
-----END PGP SIGNATURE-----