Bug#584621: blender: possible symlink attack
Paul Wise
pabs at debian.org
Tue Aug 5 15:22:14 UTC 2014
Control: reopen -1
On Tue, 2014-08-05 at 16:02 +0200, Matteo F. Vescovi wrote:
> Today I've contacted upstream developers (via IRC channel on Freenode)
> and asked about this long-lasting security bug.
>
> They pointed me to:
>
> https://developer.blender.org/rB367722470aa2eada43614cd558f468b4beea851d
>
> where it's clear that the issue has been fixed with that commit.
>
> So, I'm (finally) closing this bug report.
I'm sorry but this does not resolve the issue, it simply turns the
results from an arbitrary file overwrite to a denial of service (prevent
other users from autosaving).
Saving in /tmp at all is completely the wrong solution. The right thing
to do is to either use a random path in $TMPDIR using mkstemp etc or to
use somewhere under $HOME, preferably following the XDG basedir spec:
http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
--
bye,
pabs
http://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20140805/1f3b7e21/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list