[Bf-committers] [PATCH] Re-occurance of CVE-2008-1103 on blender-2.63a

Campbell Barton ideasman42 at gmail.com
Sun Sep 9 01:35:38 CEST 2012 

Hi Jochen,
applied r50481 with some minor changes.

Though there are other areas where this still needs changing in
blender if we are serious about not writing into symlinks.

These functions can save to the temp dir and don't check for symlinks.
render_result_exr_file_begin()
ptcache_file_open()
BLO_write_file() --- which is used to save temp files too (called from
wm_autosave_timer)

On Sat, Sep 8, 2012 at 11:30 PM, Jochen Schmitt <Jochen at herr-schmitt.de> wrote:
> Hallo,
>
> unfortunately, I have got an complaint about the re-occurance of the
> security flaw CVE-2008-1103 on blender-2.63a. Please refer to
> BZ #855092 on https://bugzilla.redhat.com for further informationen.
>
> Therefor I have created the following patch attached on the end of this
> mail to fix the reported issue.
>
> It may be nice, if can anyone can take a review of the patch and integrate
> the patch in the next upcomming release of blender.
>
> Best Regards:
>
> Jochen Schmitt
>
> diff -up blender-2.63a/source/blender/blenkernel/intern/blender.c.cve blender-2.63a/source/blender/blenkernel/intern/blender.c
> --- blender-2.63a/source/blender/blenkernel/intern/blender.c.cve        2012-05-10 16:50:20.000000000 +0200
> +++ blender-2.63a/source/blender/blenkernel/intern/blender.c    2012-09-07 10:10:05.518999947 +0200
> @@ -40,6 +40,7 @@
>  #  define write _write
>  #endif
>
> +#include <errno.h>
>  #include <stdlib.h>
>  #include <stdio.h>
>  #include <stddef.h>
> @@ -706,7 +707,8 @@ void BKE_undo_save_quit(void)
>  {
>         UndoElem *uel;
>         MemFileChunk *chunk;
> -       int file;
> +       int file = -1;
> +       int flags = O_BINARY+O_WRONLY+O_CREAT+O_TRUNC+O_EXCL;
>         char str[FILE_MAX];
>
>         if ( (U.uiflag & USER_GLOBALUNDO)==0) return;
> @@ -722,10 +724,16 @@ void BKE_undo_save_quit(void)
>
>         BLI_make_file_string("/", str, BLI_temporary_dir(), "quit.blend");
>
> -       file = BLI_open(str,O_BINARY+O_WRONLY+O_CREAT+O_TRUNC, 0666);
> -       if (file == -1) {
> -               //XXX error("Unable to save %s, check you have permissions", str);
> -               return;
> +       while (file == -1) {
> +         file = BLI_open(str,flags, 0666);
> +         if (file == -1) {
> +           if (errno == EEXIST) {
> +             flags ^= O_CREAT;
> +           } else {
> +             //XXX error("Unable to save %s, check you have permissions", str);
> +             return;
> +           }
> +         }
>         }
>
>         chunk= uel->memfile.chunks.first;
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers



-- 
- Campbell

More information about the Bf-committers mailing list