Debian Bug report logs -
#503632
blender: Python scripts load modules from current directory
Reported by: James Vega <jamessan@debian.org>
Date: Mon, 27 Oct 2008 04:39:02 UTC
Severity: grave
Tags: patch, security
Found in version blender/2.46+dfsg-4
Fixed in versions blender/2.46+dfsg-5, blender/2.42a-8
Done: Cyril Brulebois <kibi@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Cyril Brulebois <kibi@debian.org>
:
Bug#503632
; Package blender
.
(Mon, 27 Oct 2008 04:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to James Vega <jamessan@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Cyril Brulebois <kibi@debian.org>
.
(Mon, 27 Oct 2008 04:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: blender
Version: 2.46+dfsg-4
Severity: grave
Tags: security
Justification: user security hole
Usertags: pythonpath
Blender's BPY_interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string. This allows the possibility to run
arbitrary code on the user's system if there is a python file in
Blender's working directory named the same as one that Blender's python
scripts try to import.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages blender depends on:
ii gettext [libgettextpo0 0.17-4 GNU Internationalization utilities
pn libalut0 <none> (no description available)
pn libavcodec51 | libavco <none> (no description available)
pn libavformat52 | libavf <none> (no description available)
pn libavutil49 | libavuti <none> (no description available)
ii libc6 2.7-15 GNU C Library: Shared libraries
pn libdc1394-22 <none> (no description available)
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
pn libftgl2 <none> (no description available)
ii libgcc1 1:4.3.2-1 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3-6 A free implementation of the OpenG
ii libglu1-mesa [libglu1] 7.0.3-6 The OpenGL utility library (GLU)
pn libgsm1 <none> (no description available)
ii libilmbase6 1.0.1-2+nmu2 several utility libraries from ILM
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libogg0 1.1.3-4 Ogg Bitstream Library
pn libopenal1 <none> (no description available)
ii libopenexr6 1.6.1-3 runtime files for the OpenEXR imag
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libraw1394-8 1.3.0-4 library for direct access to IEEE
pn libsdl1.2debian <none> (no description available)
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
pn libswscale0 | libswsca <none> (no description available)
ii libtheora0 1.0~beta3-1 The Theora Video Compression Codec
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxi6 2:1.1.3-1 X11 Input extension library
ii python 2.5.2-2 An interactive high-level object-o
ii python-support 0.8.6 automated rebuilding support for P
ii python2.5 2.5.2-11.1 An interactive high-level object-o
ii ttf-dejavu 2.25-3 Metapackage to pull in ttf-dejavu-
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
blender recommends no packages.
Versions of packages blender suggests:
ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra
pn yafray <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Cyril Brulebois <kibi@debian.org>
:
Bug#503632
; Package blender
.
(Mon, 27 Oct 2008 04:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to James Vega <jamessan@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cyril Brulebois <kibi@debian.org>
.
(Mon, 27 Oct 2008 04:48:02 GMT) (full text, mbox, link).
Message #10 received at 503632@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 503632 patch
thanks
On Mon, Oct 27, 2008 at 12:37:12AM -0400, James Vega wrote:
> Blender's BPY_interface calls PySys_SetArgv such that Python prepends
> sys.path with an empty string. This allows the possibility to run
> arbitrary code on the user's system if there is a python file in
> Blender's working directory named the same as one that Blender's python
> scripts try to import.
Attached patch sanitizes Python's path.
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[pythonpath.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from James Vega <jamessan@debian.org>
to control@bugs.debian.org
.
(Mon, 27 Oct 2008 04:48:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#503632
; Package blender
.
(Mon, 27 Oct 2008 05:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>
:
Extra info received and forwarded to list.
(Mon, 27 Oct 2008 05:15:04 GMT) (full text, mbox, link).
Message #17 received at 503632@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 503632 pending
thanks
James Vega <jamessan@debian.org> (27/10/2008):
> tag 503632 patch
> thanks
Thanks for the bug and the patch, will take appropriate measures.
Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]
Tags added: pending
Request was from Cyril Brulebois <kibi@debian.org>
to control@bugs.debian.org
.
(Mon, 27 Oct 2008 05:18:03 GMT) (full text, mbox, link).
Reply sent
to Cyril Brulebois <kibi@debian.org>
:
You have taken responsibility.
(Mon, 27 Oct 2008 06:51:06 GMT) (full text, mbox, link).
Notification sent
to James Vega <jamessan@debian.org>
:
Bug acknowledged by developer.
(Mon, 27 Oct 2008 06:51:06 GMT) (full text, mbox, link).
Message #24 received at 503632-close@bugs.debian.org (full text, mbox, reply):
Source: blender
Source-Version: 2.46+dfsg-5
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.46+dfsg-5.diff.gz
to pool/main/b/blender/blender_2.46+dfsg-5.diff.gz
blender_2.46+dfsg-5.dsc
to pool/main/b/blender/blender_2.46+dfsg-5.dsc
blender_2.46+dfsg-5_amd64.deb
to pool/main/b/blender/blender_2.46+dfsg-5_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 27 Oct 2008 06:44:20 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.46+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes:
blender (2.46+dfsg-5) unstable; urgency=high
.
* Include patch by James Vega (thanks!) to fix security bug: Blender's
BPY_interface was calling PySys_SetArgv so that sys.path was prepended
with an empty string, resulting in possible arbitrary code execution,
when the working directory contains a file named like one that
Blender's python scripts try to import (Closes: #503632). That patch
removes empty elements from sys.path:
- debian/patches/01_sanitize_sys.path
* Urgency set to “high” accordingly.
Checksums-Sha1:
74e9f994361ab5c73145a26fa0cf54384de71d76 1501 blender_2.46+dfsg-5.dsc
bacba55594836883fe92f3d7a94cebe8977e495c 29665 blender_2.46+dfsg-5.diff.gz
68e935dc9ace11fd146a8e163684b5804b0595d6 8799234 blender_2.46+dfsg-5_amd64.deb
Checksums-Sha256:
afe335f5837a3aa5b3289f1220f52eb9030896a5c15ffef1dc4564f5ab4c14dd 1501 blender_2.46+dfsg-5.dsc
edb85122f70babf146ce12f46367d302a3be944646318a5a4cb0978ea8e6fef0 29665 blender_2.46+dfsg-5.diff.gz
649f0df0faddedf8ef6d7b0b7e3fe9106d9a8278f98ce562b5fa6ca684d84006 8799234 blender_2.46+dfsg-5_amd64.deb
Files:
a7be7f9e1145aedd801e10e057fc26e8 1501 graphics optional blender_2.46+dfsg-5.dsc
60e32816f4e1554fe3b21b440c563375 29665 graphics optional blender_2.46+dfsg-5.diff.gz
8b5ef125cf2572d7feccd81e25549437 8799234 graphics optional blender_2.46+dfsg-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkFXR0ACgkQeGfVPHR5Nd2iXQCfTZH8oyuRmtM5GEQf08Di7AI6
A1MAoLsZpKHRntLLz44aRaW4FNWJVDdV
=OrUw
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Cyril Brulebois <kibi@debian.org>
:
Bug#503632
; Package blender
.
(Thu, 13 Nov 2008 00:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Romosan <romosan@caliban.lbl.gov>
:
Extra info received and forwarded to list. Copy sent to Cyril Brulebois <kibi@debian.org>
.
(Thu, 13 Nov 2008 00:12:06 GMT) (full text, mbox, link).
Message #29 received at 503632@bugs.debian.org (full text, mbox, reply):
as intended, i guess, this patch breaks loading modules from the
current directory but i have scripts that need to load extra modules
from the current directory. how does one do it now? i've modified my
scripts to do
import sys
sys.path.append(".")
import Module
but this seems silly. shouldn't the current directory be appended to
the end of the system path so system modules are loaded first and then
if they don't exist they are loaded from the current directory?
--alex--
--
| I believe the moment is at hand when, by a paranoiac and active |
| advance of the mind, it will be possible (simultaneously with |
| automatism and other passive states) to systematize confusion |
| and thus to help to discredit completely the world of reality. |
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#503632
; Package blender
.
(Tue, 18 Nov 2008 00:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Brulebois <kibi@debian.org>
:
Extra info received and forwarded to list.
(Tue, 18 Nov 2008 00:48:07 GMT) (full text, mbox, link).
Message #34 received at 503632@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Alex.
Alex Romosan <romosan@caliban.lbl.gov> (12/11/2008):
> as intended, i guess, this patch breaks loading modules from the
> current directory but i have scripts that need to load extra modules
> from the current directory. how does one do it now? i've modified my
> scripts to do
>
> import sys
> sys.path.append(".")
>
> import Module
You could also set PYTHONPATH, I guess? (Though untested, I only recall
having done so when hacking some pythonish stuff, having some modules
under lib/, so that scripts under bin/ could use them.)
> but this seems silly. shouldn't the current directory be appended to
> the end of the system path so system modules are loaded first and then
> if they don't exist they are loaded from the current directory?
That might be done, but I'm not very inclined to relax that sanity check
to allow “userscripts” again; I'm sorry, I kind of prefer having people
deliberately add “.” as you mentioned to having possible security holes
(not as obvious as previously, but I guess one could craft something).
Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Cyril Brulebois <kibi@debian.org>
:
Bug#503632
; Package blender
.
(Tue, 18 Nov 2008 01:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Romosan <romosan@caliban.lbl.gov>
:
Extra info received and forwarded to list. Copy sent to Cyril Brulebois <kibi@debian.org>
.
(Tue, 18 Nov 2008 01:03:06 GMT) (full text, mbox, link).
Message #39 received at 503632@bugs.debian.org (full text, mbox, reply):
Cyril Brulebois <kibi@debian.org> writes:
> Alex Romosan <romosan@caliban.lbl.gov> (12/11/2008):
>
>> but this seems silly. shouldn't the current directory be appended to
>> the end of the system path so system modules are loaded first and then
>> if they don't exist they are loaded from the current directory?
>
> That might be done, but I'm not very inclined to relax that sanity check
> to allow “userscripts” again; I'm sorry, I kind of prefer having people
> deliberately add “.” as you mentioned to having possible security holes
> (not as obvious as previously, but I guess one could craft something).
i agree that having the current directory first in the path is a
security risk but having it after the system paths wouldn't it mean
that the system modules were loaded so there would be no security
risk?
--alex--
--
| I believe the moment is at hand when, by a paranoiac and active |
| advance of the mind, it will be possible (simultaneously with |
| automatism and other passive states) to systematize confusion |
| and thus to help to discredit completely the world of reality. |
Reply sent
to Cyril Brulebois <kibi@debian.org>
:
You have taken responsibility.
(Thu, 04 Dec 2008 20:03:09 GMT) (full text, mbox, link).
Notification sent
to James Vega <jamessan@debian.org>
:
Bug acknowledged by developer.
(Thu, 04 Dec 2008 20:03:09 GMT) (full text, mbox, link).
Message #44 received at 503632-close@bugs.debian.org (full text, mbox, reply):
Source: blender
Source-Version: 2.42a-8
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.42a-8.diff.gz
to pool/main/b/blender/blender_2.42a-8.diff.gz
blender_2.42a-8.dsc
to pool/main/b/blender/blender_2.42a-8.dsc
blender_2.42a-8_amd64.deb
to pool/main/b/blender/blender_2.42a-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Nov 2008 18:48:10 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.42a-8
Distribution: stable
Urgency: low
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes:
blender (2.42a-8) stable; urgency=low
.
* Include patch by James Vega (thanks!) to fix security bug: Blender's
BPY_interface was calling PySys_SetArgv so that sys.path was prepended
with an empty string, resulting in possible arbitrary code execution,
when the working directory contains a file named like one that
Blender's python scripts try to import (Closes: #503632). That patch
removes empty elements from sys.path:
- debian/patches/01_sanitize_sys.path
This is CVE-2008-4863.
* Acknowledge previous NMU by the security team, thanks Devin Carraway.
* Update Maintainer/Uploaders.
Files:
83034e610697736933ab5bbb1515741c 883 graphics optional blender_2.42a-8.dsc
c1bc77923cc3c6712adb3b43a1e7d6cf 30192 graphics optional blender_2.42a-8.diff.gz
26b71cf18193f2fb3169b4983c76064a 6373114 graphics optional blender_2.42a-8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxm5kACgkQeGfVPHR5Nd3L4wCg0H4sA+a3Y3jxopKPL2EnPXeU
HE4An21CubEk77w80eIUMNz+qMf8kdLt
=siur
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Cyril Brulebois <kibi@debian.org>
:
Bug#503632
; Package blender
.
(Thu, 04 Dec 2008 20:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to James Vega <jamessan@debian.org>
:
Extra info received and forwarded to list. Copy sent to Cyril Brulebois <kibi@debian.org>
.
(Thu, 04 Dec 2008 20:27:02 GMT) (full text, mbox, link).
Message #49 received at 503632@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.
Specifically, it must return NULL when given an empty string for the
path. At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.
When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).
[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Cyril Brulebois <kibi@debian.org>
:
You have taken responsibility.
(Wed, 17 Dec 2008 21:19:58 GMT) (full text, mbox, link).
Notification sent
to James Vega <jamessan@debian.org>
:
Bug acknowledged by developer.
(Wed, 17 Dec 2008 21:20:22 GMT) (full text, mbox, link).
Message #54 received at 503632-close@bugs.debian.org (full text, mbox, reply):
Source: blender
Source-Version: 2.42a-8
We believe that the bug you reported is fixed in the latest version of
blender, which is due to be installed in the Debian FTP archive:
blender_2.42a-8.diff.gz
to pool/main/b/blender/blender_2.42a-8.diff.gz
blender_2.42a-8.dsc
to pool/main/b/blender/blender_2.42a-8.dsc
blender_2.42a-8_amd64.deb
to pool/main/b/blender/blender_2.42a-8_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503632@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cyril Brulebois <kibi@debian.org> (supplier of updated blender package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Nov 2008 18:48:10 +0100
Source: blender
Binary: blender
Architecture: source amd64
Version: 2.42a-8
Distribution: stable
Urgency: low
Maintainer: Cyril Brulebois <kibi@debian.org>
Changed-By: Cyril Brulebois <kibi@debian.org>
Description:
blender - Very fast and versatile 3D modeller/renderer
Closes: 503632
Changes:
blender (2.42a-8) stable; urgency=low
.
* Include patch by James Vega (thanks!) to fix security bug: Blender's
BPY_interface was calling PySys_SetArgv so that sys.path was prepended
with an empty string, resulting in possible arbitrary code execution,
when the working directory contains a file named like one that
Blender's python scripts try to import (Closes: #503632). That patch
removes empty elements from sys.path:
- debian/patches/01_sanitize_sys.path
This is CVE-2008-4863.
* Acknowledge previous NMU by the security team, thanks Devin Carraway.
* Update Maintainer/Uploaders.
Files:
83034e610697736933ab5bbb1515741c 883 graphics optional blender_2.42a-8.dsc
c1bc77923cc3c6712adb3b43a1e7d6cf 30192 graphics optional blender_2.42a-8.diff.gz
26b71cf18193f2fb3169b4983c76064a 6373114 graphics optional blender_2.42a-8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxm5kACgkQeGfVPHR5Nd3L4wCg0H4sA+a3Y3jxopKPL2EnPXeU
HE4An21CubEk77w80eIUMNz+qMf8kdLt
=siur
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 15 Jan 2009 07:27:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:42:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.