[3dprinter-general] Bug#862078: slic3r: insecure use of tmp-files as intermediate to upload to octoprint
Tobias Frost
tobi at debian.org
Mon May 8 09:21:58 UTC 2017
Package: slic3r
Version: 1.2.9+dfsg-6
Severity: important
Tags: security
Hi,
When onfigured with octoprint, the function "send to printer" creates first /tmp/<model-name>.gcode and then
uploads this file to octoprint, which makes the name somwhow predictable, opening a race with a quite wide
window of opportunity to upload a different file to the octoprint server.
If we predict the filename and make a symlink with that name, slic3r also follows the symlink.
--
tobi
-- System Information:
Debian Release: 9.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64
(x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages slic3r depends on:
ii libboost-geometry-utils-perl 0.15-2+b4
ii libc6 2.24-10
ii libencode-locale-perl 1.05-1
ii libgcc1 1:6.3.0-14
ii libio-stringy-perl 2.111-2
ii libmath-convexhull-monotonechain-perl 0.1-1+b4
ii libmath-geometry-voronoi-perl 1.3-2+b4
ii libmath-planepath-perl 123-1
ii libmoo-perl 2.002005-1
ii libperl5.24 [libtime-hires-perl] 5.24.1-2
ii libstdc++6 6.3.0-14
pn libstorable-perl <none>
pn perl:any <none>
Versions of packages slic3r recommends:
ii libclass-xsaccessor-perl 1.19-2+b7
ii libio-all-perl 0.86-2
ii libopengl-perl 0.6704+dfsg-2+b2
ii libpdf-api2-perl 2.030-1
ii libsvg-perl 2.64-1
ii libwx-glcanvas-perl 0.09-3+b4
ii libwx-perl 1:0.9928-1+b1
ii libxml-sax-expatxs-perl 1.33-2+b2
slic3r suggests no packages.
-- no debconf information
More information about the 3dprinter-general
mailing list