Bug#584621: blender: possible symlink attack

[Kevin Roy]

Hi Paul,

On 5 September 2012 16:23, Paul Wise <pabs at debian.org> wrote:
> Sorry I didn't notice this bug closing, but did you check that this
> problem was fixed? It certainly is not fixed on wheezy (see below).

At the time of triaging this bug, I did a test and the bug did appear to me.
But now I realize that it isn't fixed as I didn't understood the
process to reproduce it (ie. I didn't create the symbolic link
*before* running blender)

> This bug has occurred and been fixed before (#298167) and it is a bit
> disappointing that it was fixed in 2.37a-1 and then again by a different
> maintainer and the maintainer after that didn't preserve those fixes.

As far as i remember it as been dropped on 2.50-alpha because the
debian patch was a bit hacky :
 - the blender executable was wrapped by a script that checked
~/.blender directory existence and created this directory otherwise.
 - there was also a debian patch that made blender save the quit.blend
in the ~/.blender directory.
I've spent some time and try to produce a decent patch without result
and as i didn't manage to reproduce the bug, i didn't try further (my
bad :-( ).

> Security team, can we get a CVE assigned for this? Perhaps that would
> get people to fix it for good. The consequences are arbitrary file
> creation or overwrite on a multi-user system:
>
> pabs at chianamo ~ $ dpkg -l blender
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name                          Version             Architecture        Description
> +++-=============================-===================-===================-===============================================================
> ii  blender                       2.63a-1             amd64               Very fast and versatile 3D modeller/renderer
> pabs at chianamo ~ $ sudo ln -s /home/pabs/foo /tmp/quit.blend
> pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> ls: cannot access /home/pabs/foo: No such file or directory
> lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: broken symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  ERROR: cannot open `/home/pabs/foo' (No such file or directory)
> pabs at chianamo ~ $ blender
>
> Blender quit
> pabs at chianamo ~ $ blender
> Saved session recovery to /tmp/quit.blend
>
> Blender quit
> pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> -rw-r----- 1 pabs pabs 170K Sep  5 22:02 /home/pabs/foo
> lrwxrwxrwx 1 root root   14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
> pabs at chianamo ~ $ echo foo > /home/pabs/foo
> pabs at chianamo ~ $ ls -l /tmp/quit.blend /home/pabs/foo
> -rw-r----- 1 pabs pabs  4 Sep  5 22:03 /home/pabs/foo
> lrwxrwxrwx 1 root root 14 Sep  5 22:01 /tmp/quit.blend -> /home/pabs/foo
> pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  ASCII text
> pabs at chianamo ~ $ blender
> Saved session recovery to /tmp/quit.blend
>
> Blender quit
> pabs at chianamo ~ $ file /tmp/quit.blend /home/pabs/foo
> /tmp/quit.blend: symbolic link to `/home/pabs/foo'
> /home/pabs/foo:  Blender3D, saved as 64-bits little endian with version 2.63
>

--
Kevin Roy
blog.knokorpo.fr