blender: Python scripts load modules from current directory

Debian Bug report logs - #503632
blender: Python scripts load modules from current directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: blender: Python scripts load modules from current directory

Date: Mon, 27 Oct 2008 00:37:12 -0400

Package: blender
Version: 2.46+dfsg-4
Severity: grave
Tags: security
Justification: user security hole
Usertags: pythonpath

Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages blender depends on:
ii  gettext [libgettextpo0 0.17-4            GNU Internationalization utilities
pn  libalut0               <none>            (no description available)
pn  libavcodec51 | libavco <none>            (no description available)
pn  libavformat52 | libavf <none>            (no description available)
pn  libavutil49 | libavuti <none>            (no description available)
ii  libc6                  2.7-15            GNU C Library: Shared libraries
pn  libdc1394-22           <none>            (no description available)
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
pn  libftgl2               <none>            (no description available)
ii  libgcc1                1:4.3.2-1         GCC support library
ii  libgl1-mesa-glx [libgl 7.0.3-6           A free implementation of the OpenG
ii  libglu1-mesa [libglu1] 7.0.3-6           The OpenGL utility library (GLU)
pn  libgsm1                <none>            (no description available)
ii  libilmbase6            1.0.1-2+nmu2      several utility libraries from ILM
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libogg0                1.1.3-4           Ogg Bitstream Library
pn  libopenal1             <none>            (no description available)
ii  libopenexr6            1.6.1-3           runtime files for the OpenEXR imag
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libraw1394-8           1.3.0-4           library for direct access to IEEE 
pn  libsdl1.2debian        <none>            (no description available)
ii  libstdc++6             4.3.2-1           The GNU Standard C++ Library v3
pn  libswscale0 | libswsca <none>            (no description available)
ii  libtheora0             1.0~beta3-1       The Theora Video Compression Codec
ii  libvorbis0a            1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libvorbisenc2          1.2.0.dfsg-3.1    The Vorbis General Audio Compressi
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxi6                 2:1.1.3-1         X11 Input extension library
ii  python                 2.5.2-2           An interactive high-level object-o
ii  python-support         0.8.6             automated rebuilding support for P
ii  python2.5              2.5.2-11.1        An interactive high-level object-o
ii  ttf-dejavu             2.25-3            Metapackage to pull in ttf-dejavu-
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

blender recommends no packages.

Versions of packages blender suggests:
ii  libtiff4                      3.8.2-11   Tag Image File Format (TIFF) libra
pn  yafray                        <none>     (no description available)

Message #10 received at 503632@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>

To: 503632@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#503632: blender: Python scripts load modules from current directory

Date: Mon, 27 Oct 2008 00:46:54 -0400

[Message part 1 (text/plain, inline)]

tag 503632 patch
thanks

On Mon, Oct 27, 2008 at 12:37:12AM -0400, James Vega wrote:
> Blender's BPY_interface calls PySys_SetArgv such that Python prepends
> sys.path with an empty string.  This allows the possibility to run
> arbitrary code on the user's system if there is a python file in
> Blender's working directory named the same as one that Blender's python
> scripts try to import.

Attached patch sanitizes Python's path.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>

[pythonpath.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 503632@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: James Vega <jamessan@debian.org>, 503632@bugs.debian.org

Subject: Re: Bug#503632: blender: Python scripts load modules from current directory

Date: Mon, 27 Oct 2008 06:12:24 +0100

[Message part 1 (text/plain, inline)]

tag 503632 pending
thanks

James Vega <jamessan@debian.org> (27/10/2008):
> tag 503632 patch
> thanks

Thanks for the bug and the patch, will take appropriate measures.

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 503632-close@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: 503632-close@bugs.debian.org

Subject: Bug#503632: fixed in blender 2.46+dfsg-5

Date: Mon, 27 Oct 2008 06:32:05 +0000

Source: blender
Source-Version: 2.46+dfsg-5

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.46+dfsg-5.diff.gz
  to pool/main/b/blender/blender_2.46+dfsg-5.diff.gz
blender_2.46+dfsg-5.dsc
  to pool/main/b/blender/blender_2.46+dfsg-5.dsc
blender_2.46+dfsg-5_amd64.deb
  to pool/main/b/blender/blender_2.46+dfsg-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 27 Oct 2008 06:44:20 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.46+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes: 
 blender (2.46+dfsg-5) unstable; urgency=high
 .
   * Include patch by James Vega (thanks!) to fix security bug: Blender's
     BPY_interface was calling PySys_SetArgv so that sys.path was prepended
     with an empty string, resulting in possible arbitrary code execution,
     when the working directory contains a file named like one that
     Blender's python scripts try to import (Closes: #503632). That patch
     removes empty elements from sys.path:
      - debian/patches/01_sanitize_sys.path
   * Urgency set to “high” accordingly.
Checksums-Sha1: 
 74e9f994361ab5c73145a26fa0cf54384de71d76 1501 blender_2.46+dfsg-5.dsc
 bacba55594836883fe92f3d7a94cebe8977e495c 29665 blender_2.46+dfsg-5.diff.gz
 68e935dc9ace11fd146a8e163684b5804b0595d6 8799234 blender_2.46+dfsg-5_amd64.deb
Checksums-Sha256: 
 afe335f5837a3aa5b3289f1220f52eb9030896a5c15ffef1dc4564f5ab4c14dd 1501 blender_2.46+dfsg-5.dsc
 edb85122f70babf146ce12f46367d302a3be944646318a5a4cb0978ea8e6fef0 29665 blender_2.46+dfsg-5.diff.gz
 649f0df0faddedf8ef6d7b0b7e3fe9106d9a8278f98ce562b5fa6ca684d84006 8799234 blender_2.46+dfsg-5_amd64.deb
Files: 
 a7be7f9e1145aedd801e10e057fc26e8 1501 graphics optional blender_2.46+dfsg-5.dsc
 60e32816f4e1554fe3b21b440c563375 29665 graphics optional blender_2.46+dfsg-5.diff.gz
 8b5ef125cf2572d7feccd81e25549437 8799234 graphics optional blender_2.46+dfsg-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkFXR0ACgkQeGfVPHR5Nd2iXQCfTZH8oyuRmtM5GEQf08Di7AI6
A1MAoLsZpKHRntLLz44aRaW4FNWJVDdV
=OrUw
-----END PGP SIGNATURE-----

Message #29 received at 503632@bugs.debian.org (full text, mbox, reply):

From: Alex Romosan <romosan@caliban.lbl.gov>

To: 503632@bugs.debian.org

Subject: Python scripts load modules from current directory

Date: Wed, 12 Nov 2008 16:09:29 -0800

as intended, i guess, this patch breaks loading modules from the
current directory but i have scripts that need to load extra modules
from the current directory. how does one do it now? i've modified my
scripts to do

import sys
sys.path.append(".")

import Module

but this seems silly. shouldn't the current directory be appended to
the end of the system path so system modules are loaded first and then
if they don't exist they are loaded from the current directory?

--alex--

-- 
| I believe the moment is at hand when, by a paranoiac and active |
|  advance of the mind, it will be possible (simultaneously with  |
|  automatism and other passive states) to systematize confusion  |
|  and thus to help to discredit completely the world of reality. |

Message #34 received at 503632@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: Alex Romosan <romosan@caliban.lbl.gov>, 503632@bugs.debian.org

Subject: Re: Bug#503632: Python scripts load modules from current directory

Date: Tue, 18 Nov 2008 01:45:03 +0100

[Message part 1 (text/plain, inline)]

Hi Alex.

Alex Romosan <romosan@caliban.lbl.gov> (12/11/2008):
> as intended, i guess, this patch breaks loading modules from the
> current directory but i have scripts that need to load extra modules
> from the current directory. how does one do it now? i've modified my
> scripts to do
> 
> import sys
> sys.path.append(".")
> 
> import Module

You could also set PYTHONPATH, I guess? (Though untested, I only recall
having done so when hacking some pythonish stuff, having some modules
under lib/, so that scripts under bin/ could use them.)

> but this seems silly. shouldn't the current directory be appended to
> the end of the system path so system modules are loaded first and then
> if they don't exist they are loaded from the current directory?

That might be done, but I'm not very inclined to relax that sanity check
to allow “userscripts” again; I'm sorry, I kind of prefer having people
deliberately add “.” as you mentioned to having possible security holes
(not as obvious as previously, but I guess one could craft something).

Mraw,
KiBi.

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 503632@bugs.debian.org (full text, mbox, reply):

From: Alex Romosan <romosan@caliban.lbl.gov>

To: Cyril Brulebois <kibi@debian.org>

Cc: 503632@bugs.debian.org

Subject: Re: Bug#503632: Python scripts load modules from current directory

Date: Mon, 17 Nov 2008 17:02:08 -0800

Cyril Brulebois <kibi@debian.org> writes:

> Alex Romosan <romosan@caliban.lbl.gov> (12/11/2008):
>
>> but this seems silly. shouldn't the current directory be appended to
>> the end of the system path so system modules are loaded first and then
>> if they don't exist they are loaded from the current directory?
>
> That might be done, but I'm not very inclined to relax that sanity check
> to allow “userscripts” again; I'm sorry, I kind of prefer having people
> deliberately add “.” as you mentioned to having possible security holes
> (not as obvious as previously, but I guess one could craft something).

i agree that having the current directory first in the path is a
security risk but having it after the system paths wouldn't it mean
that the system modules were loaded so there would be no security
risk?

--alex--

-- 
| I believe the moment is at hand when, by a paranoiac and active |
|  advance of the mind, it will be possible (simultaneously with  |
|  automatism and other passive states) to systematize confusion  |
|  and thus to help to discredit completely the world of reality. |

Message #44 received at 503632-close@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: 503632-close@bugs.debian.org

Subject: Bug#503632: fixed in blender 2.42a-8

Date: Thu, 04 Dec 2008 19:53:02 +0000

Source: blender
Source-Version: 2.42a-8

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.42a-8.diff.gz
  to pool/main/b/blender/blender_2.42a-8.diff.gz
blender_2.42a-8.dsc
  to pool/main/b/blender/blender_2.42a-8.dsc
blender_2.42a-8_amd64.deb
  to pool/main/b/blender/blender_2.42a-8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Nov 2008 18:48:10 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.42a-8
Distribution: stable
Urgency: low
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes: 
 blender (2.42a-8) stable; urgency=low
 .
   * Include patch by James Vega (thanks!) to fix security bug: Blender's
     BPY_interface was calling PySys_SetArgv so that sys.path was prepended
     with an empty string, resulting in possible arbitrary code execution,
     when the working directory contains a file named like one that
     Blender's python scripts try to import (Closes: #503632). That patch
     removes empty elements from sys.path:
      - debian/patches/01_sanitize_sys.path
     This is CVE-2008-4863.
   * Acknowledge previous NMU by the security team, thanks Devin Carraway.
   * Update Maintainer/Uploaders.
Files: 
 83034e610697736933ab5bbb1515741c 883 graphics optional blender_2.42a-8.dsc
 c1bc77923cc3c6712adb3b43a1e7d6cf 30192 graphics optional blender_2.42a-8.diff.gz
 26b71cf18193f2fb3169b4983c76064a 6373114 graphics optional blender_2.42a-8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxm5kACgkQeGfVPHR5Nd3L4wCg0H4sA+a3Y3jxopKPL2EnPXeU
HE4An21CubEk77w80eIUMNz+qMf8kdLt
=siur
-----END PGP SIGNATURE-----

Message #49 received at 503632@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>

To: 503632@bugs.debian.org, 504251@bugs.debian.org, 504352@bugs.debian.org, 504359@bugs.debian.org, 504363@bugs.debian.org

Subject: Suggested patch isn't applicable to all OSes

Date: Thu, 4 Dec 2008 15:23:47 -0500

[Message part 1 (text/plain, inline)]

As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.

Specifically, it must return NULL when given an empty string for the
path.  At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.

When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).

[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>

[signature.asc (application/pgp-signature, inline)]

Message #54 received at 503632-close@bugs.debian.org (full text, mbox, reply):

From: Cyril Brulebois <kibi@debian.org>

To: 503632-close@bugs.debian.org

Subject: Bug#503632: fixed in blender 2.42a-8

Date: Wed, 17 Dec 2008 21:02:50 +0000

Source: blender
Source-Version: 2.42a-8

We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:

blender_2.42a-8.diff.gz
  to pool/main/b/blender/blender_2.42a-8.diff.gz
blender_2.42a-8.dsc
  to pool/main/b/blender/blender_2.42a-8.dsc
blender_2.42a-8_amd64.deb
  to pool/main/b/blender/blender_2.42a-8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Nov 2008 18:48:10 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.42a-8
Distribution: stable
Urgency: low
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description: 
 blender    - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes: 
 blender (2.42a-8) stable; urgency=low
 .
   * Include patch by James Vega (thanks!) to fix security bug: Blender's
     BPY_interface was calling PySys_SetArgv so that sys.path was prepended
     with an empty string, resulting in possible arbitrary code execution,
     when the working directory contains a file named like one that
     Blender's python scripts try to import (Closes: #503632). That patch
     removes empty elements from sys.path:
      - debian/patches/01_sanitize_sys.path
     This is CVE-2008-4863.
   * Acknowledge previous NMU by the security team, thanks Devin Carraway.
   * Update Maintainer/Uploaders.
Files: 
 83034e610697736933ab5bbb1515741c 883 graphics optional blender_2.42a-8.dsc
 c1bc77923cc3c6712adb3b43a1e7d6cf 30192 graphics optional blender_2.42a-8.diff.gz
 26b71cf18193f2fb3169b4983c76064a 6373114 graphics optional blender_2.42a-8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxm5kACgkQeGfVPHR5Nd3L4wCg0H4sA+a3Y3jxopKPL2EnPXeU
HE4An21CubEk77w80eIUMNz+qMf8kdLt
=siur
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.