Page MenuHome

Insecure creation of files in /tmp when rendering. (Linked to CVE-2008-1102)
Closed, ArchivedPublic



There is currently an Ubuntu Bug open that describes this behaviour.

From the bug

Reproduced in versions:
2.37a-1ubuntu1.1 (breezy?)
2.41-1ubuntu4 (dapper)
2.42a-linux-glibc232-py24-i386-static ( binary)
2.42a-1ubuntu1.1 (edgy)
2.44-2ubuntu2 (gutsy)
2.45-4ubuntu1 (hardy)
2.46+dfsg-4 (intrepid)

Blender writes to files in /tmp/ in an insecure fashion. For example, launching blender and then selecting "Render > Render Animation", writes to the file /tmp/0001.jpg.

This can be exploited by a malicious user to overwrite arbitrary files of another user using blender:

mallory@myhost$ ln -s /home/bob/thesis.tex /tmp/0001.jpg


I have also reproduced this in 2.48a.

I know you can change the render location with -o, but would think it would be better for blender to write these to possibly to the home directory somewhere (.blender/render) ? or the like by default.



To Do

Event Timeline

Nobody (None) closed this task as Archived.Jan 15 2009, 5:41 PM

Hi Stefan,

Such security issues we don't tackle. A malicous user can abuse Blender in hundreds of ways. The only thing we could do is not use the /tmp/ as a default in Blender, that has been discussed and is on our todo.