Home

Insecure creation of files in /tmp when rendering. (Linked to CVE-2008-1102)
Closed, ArchivedPublic

Assigned To
None
Priority
Low
Subscribers
None
Author
stefanlsd (Stefan Lesicnik)
Projects
Type
To Do
Description
Hi,

There is currently an Ubuntu Bug open that describes this behaviour. https://bugs.edge.launchpad.net/blender/+bug/6671

From the bug

Reproduced in versions:
2.37a-1ubuntu1.1 (breezy?)
2.41-1ubuntu4 (dapper)
2.42a-linux-glibc232-py24-i386-static (blender.org binary)
2.42a-1ubuntu1.1 (edgy)
2.44-2ubuntu2 (gutsy)
2.45-4ubuntu1 (hardy)
2.46+dfsg-4 (intrepid)

Blender writes to files in /tmp/ in an insecure fashion. For example, launching blender and then selecting "Render > Render Animation", writes to the file /tmp/0001.jpg.

This can be exploited by a malicious user to overwrite arbitrary files of another user using blender:

mallory@myhost$ ln -s /home/bob/thesis.tex /tmp/0001.jpg

--

I have also reproduced this in 2.48a.

I know you can change the render location with -o, but would think it would be better for blender to write these to possibly to the home directory somewhere (.blender/render) ? or the like by default.

Thanks!
stefanlsd (Stefan Lesicnik) set Type to To Do.Via Old WorldJan 15 2009, 5:41 PM
None (Nobody) closed this task as "Archived".Via Old WorldJan 15 2009, 5:41 PM
ton (Ton Roosendaal) added a comment.Via Old WorldApr 8 2009, 8:09 PM
Hi Stefan,

Such security issues we don't tackle. A malicous user can abuse Blender in hundreds of ways. The only thing we could do is not use the /tmp/ as a default in Blender, that has been discussed and is on our todo.

Add Comment