[Bf-committers] Patches for CVE-20008-1103

Jochen Schmitt Jochen at herr-schmitt.de
Wed May 7 21:09:13 CEST 2008

Hash: SHA1

On Wed, 07 May 2008 18:54:30 +0200, you wrote:

>Since the problem has been brought up publicly (I didn't know about the
>CVE ID until you linked to it), I'll expose my thoughts: I was thinking

The link is:


>of playing around with TMP or TMPDIR so as to ensure that it points to a
>subdirectory of user's $HOME, so that files are kept away from other
>users. I was a bit surprized by the mechanism supposed to record the
>temporary directory once for all, that's why I wanted to discuss it with
>the developers before taking any action. Moving the temporary directory
>to the user's $HOME would make in particular sure that no symlink attack
>can happen, especially when mk*temp functions aren't used to create
>temporary files (see the original bugreport).
>It looks like some scripts also hardcode /tmp as temporary directory,
>and don't use the secure functions for handling temporary files either.
>My asking about the appropriate place where to discuss possible security
>issues was in particular targeted as raising this particular point.

I interessting for patches to solve this issue in 2.45 and
2.45rc3 or finale because I'm the maintainer of the blender
package in the Fedora project.

I have created partional patched version of the packages for the
Fedora project.

Best Regards:

Jochen Schmitt

Version: PGP Desktop 9.6.3 (Build 3017)
Charset: us-ascii


More information about the Bf-committers mailing list