Security
Blender security vs. usability
A bug in the Blender 3D graphics rendering program, which was recently fixed in Gentoo and Fedora, may not really be a bug at all, depending on who you listen to. Even though it has been assigned CVE-2009-3850, there is a vocal segment—perhaps an overwhelming majority—of longtime Blender users who don't want to see problems like this fixed because it can seriously affect their workflow. It is an example of the classic tradeoff between usability and security, and it would seem that usability is winning out—at least for mainline Blender development.
The problem stems from Blender's use of Python as its scripting language. A malicious script has access to all of the power of Python running as the user, so it could completely compromise the user's account. It is essentially the same problem that various macro languages in office suites have had, but those languages are generally less powerful than Python—or are at least meant to be. An attacker could put up an enticing .blend file, which promised to provide some interesting 3D representation or effect, that instead (or in addition) installed a virus, botnet client, or spam-ware. Other nasty effects are possible too, of course.
For office suite macros and other similar application scripting languages, there is often a dialog before running the code contained in a file, so that users can decide whether or not to run it. Or users can disable scripting entirely via the application preferences. For Blender, though, the default is that code inside .blend files is run, without prompting, making it easy to craft attacks if users can be enticed to open the file. That feature can be turned off in the preferences, but that doesn't affect Blender when it is running in background mode.
Background mode is a GUI-less version of Blender that is meant to be run on "render farms" (multiple machines that render different parts of the scene or animation). As might be guessed, scripts are used to control what gets rendered by Blender running in background mode, so disabling scripts by default in background mode would be fairly pointless for hardcore Blender users. But, for Blender neophytes—who are typically running in GUI mode—grabbing a file from the internet to try out the program is probably not something they expect can lead to system compromise.
The problem was discovered by CoreLabs Research in October 2009 and communicated to the Blender team, but there has been no real fix made in the mainline since then. It was reported in the bugzillas for both Red Hat and Gentoo in November 2009, but very little action was taken by either distribution until Sebastian Pipping started looking into it in April of this year. It would seem that both distributions were assuming that a fix would be coming from upstream, but none materialized.
As Pipping points out in his analysis in the Gentoo bug report, upstream is indifferent, at best, to changing the default. A long thread in the blender-committers mailing list from April 2010 makes it clear that many of the users and developers of Blender find that security fixes are just getting in their way. Part of the problem is that the "trusted source" fix made for Blender 2.50 was not fully baked and caused problems for many—including many hours of wasted rendering time.
But distributions sometimes have different priorities than application projects, and protecting the uninitiated from non-obvious ways to compromise their system is generally high on any distribution's list. So, Pipping created a patch for Gentoo and alerted Fedora about it, which resulted in the Fedora fixes released on July 13. So far, Gentoo has not put out an advisory, though the fix is in its repositories.
The fix itself is fairly straightforward, though there are a few wrinkles. Part of the problem is that Blender uses different mechanisms to control scripting depending on whether you are in GUI or background mode. So enabling scripting in GUI mode does not affect what happens with background mode and vice versa, which is one of the problems that Blender users were complaining about when 2.50 was released. In addition, the flags used for controlling scripting (-y and -Y) have changed senses between 2.49 and 2.50. So, Pipping chose -666 as the flag to disable scripting in GUI mode. Security-conscious users (or distributions) can put that flag in the .desktop file to disable scripting in GUI mode, but leave background mode (where running code from untrusted sources is unlikely) alone. Users who wish to run scripts in GUI mode can still enable that through the interface.
One does wonder why Blender doesn't just make the defaults different for the two different modes. If GUI mode defaulted to "scripting off", the problem would largely go away, without adversely affecting the power-users who are largely rendering in background mode. The minor inconvenience of turning on the feature, once, in their GUI session would seem like a reasonable tradeoff.
In the end, it is a fairly minor problem, overall, and it's hard to imagine that there are legions of attackers out there crafting malicious Blender scripts—the payoff is just too small. Targeted attacks might be more plausible, but finding targets with Blender installed and no understanding of the potential danger of scripts in .blend files might be something of a stretch. But users do not expect that opening a spreadsheet will compromise their system, and they should expect no less of opening a file in another kind of application. Since it seems that Blender isn't interested in fixing the problem, distributions are obviously right to step in and do so.
Brief items
Security quotes of the week
17:05:49 <dvlasenk> I tried to understand what Trusted Boot *is*, and failed. 17:06:11 <ajax> dvlasenk: it's a complicated way of making your machine less likely to work.
Many Android Apps Are Leaking Private Information, Researcher Says (Dark Reading)
Dark Reading previews a talk that will be given at the upcoming Black Hat Conference about Android application security issues. The talk is based on a study that looked at Android applications to determine the kinds of security problems that they had. "In the study, Dasient analyzed the live behavior of Android apps to determine their security posture. Of the 10,000 applications evaluated, more than 800 were found to be leaking personal data to an unauthorized server, [Neil] Daswani says. [...] In addition, the researchers found that 11 of the applications were sending potentially unwanted SMS messages out to other smartphones -- the mobile version of spam, Daswani says."
New vulnerabilities
drupal7: restriction bypass
| Package(s): | drupal7 | CVE #(s): | CVE-2011-2687 | ||||||||
| Created: | July 18, 2011 | Updated: | July 20, 2011 | ||||||||
| Description: | From the Drupal advisory:
Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the node_access system. In core, this affects the taxonomy and the forum subsystem. | ||||||||||
| Alerts: |
| ||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2011-2479 | ||||||||||||||||
| Created: | July 14, 2011 | Updated: | July 20, 2011 | ||||||||||||||||
| Description: | From the Scientific Linux advisory: It was found that an mmap() call with the MAP_PRIVATE flag on "/dev/zero" would create transparent hugepages and trigger a certain robustness check. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-2479, Moderate) | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2011-2534 CVE-2011-1747 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2011 | Updated: | August 9, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the AGP driver did not check the size of certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746, CVE-2011-1747) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2010-4256 CVE-2011-1076 | ||||||||
| Created: | July 14, 2011 | Updated: | July 20, 2011 | ||||||||
| Description: | From the Ubuntu advisory: It was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256) It was discovered that the key-based DNS resolver did not correctly handle certain error states. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1076) | ||||||||||
| Alerts: |
| ||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2011-1576 CVE-2011-1936 CVE-2011-2213 CVE-2011-2492 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 15, 2011 | Updated: | September 14, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN) packets. An attacker on the local network could trigger this flaw by sending specially-crafted packets to a target system, possibly causing a denial of service. (CVE-2011-1576) A flaw in the way the Xen hypervisor implementation handled CPUID instruction emulation during virtual machine exits could allow an unprivileged guest user to crash a guest. This only affects systems that have an Intel x86 processor with the Intel VT-x extension enabled. (CVE-2011-1936) A flaw in inet_diag_bc_audit() could allow a local, unprivileged user to cause a denial of service (infinite loop). (CVE-2011-2213) Structure padding in two structures in the Bluetooth implementation was not initialized properly before being copied to user-space, possibly allowing local, unprivileged users to leak kernel stack memory to user-space. (CVE-2011-2492) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libapache2-mod-authnz-external: SQL injection
| Package(s): | libapache2-mod-authnz-external | CVE #(s): | CVE-2011-2688 | ||||||||
| Created: | July 19, 2011 | Updated: | August 21, 2012 | ||||||||
| Description: | From the Debian advisory:
It was discovered that libapache2-mod-authnz-external, an apache authentication module, is prone to an SQL injection via the $user parameter. | ||||||||||
| Alerts: |
| ||||||||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CVE-2011-2690 CVE-2011-2691 CVE-2011-2692 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 19, 2011 | Updated: | October 17, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image. (CVE-2011-2690) The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image. (CVE-2011-2691) The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory. (CVE-2011-2692) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
likewise-open: SQL injection
| Package(s): | likewise-open | CVE #(s): | CVE-2011-2467 | ||||
| Created: | July 20, 2011 | Updated: | July 20, 2011 | ||||
| Description: | Likewise-open (an Active Directory authentication service) suffers from a local SQL injection vulnerability. | ||||||
| Alerts: |
| ||||||
mariadb: missing innodb support
| Package(s): | mariadb | CVE #(s): | |||||
| Created: | July 19, 2011 | Updated: | July 20, 2011 | ||||
| Description: | From the openSUSE advisory:
The last security version upgrade of MariaDB (a MySQL fork) removed innodb support, breaking old databases. | ||||||
| Alerts: |
| ||||||
nfs-utils: user-controlled /etc/mtab corruption
| Package(s): | nfs-utils | CVE #(s): | CVE-2011-1749 | ||||||||||||||||||||||||||||||||
| Created: | July 14, 2011 | Updated: | March 22, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Pardus advisory: It was found that mount.nfs suffers from the same flaw as other mount helpers (see CVE-2011-1089). Instead of using addmntent(), nfs-utils implements its own similar function (nfs_addmntent()) which also fails to anticipate whether resource limits would interfere with correctly writing to /etc/mtab. A local user could use this to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2011-1337 CVE-2011-2609 CVE-2011-2610 CVE-2011-2611 CVE-2011-2612 CVE-2011-2613 CVE-2011-2614 CVE-2011-2615 CVE-2011-2616 CVE-2011-2617 CVE-2011-2618 CVE-2011-2619 CVE-2011-2620 CVE-2011-2621 CVE-2011-2622 CVE-2011-2623 CVE-2011-2624 CVE-2011-2625 CVE-2011-2626 CVE-2011-2627 | ||||||||
| Created: | July 19, 2011 | Updated: | July 20, 2011 | ||||||||
| Description: | Opera 11.50 fixes multiple vulnerabilities. See the Opera changelog for details. | ||||||||||
| Alerts: |
| ||||||||||
phpmyadmin: multiple vulnerabilities
| Package(s): | phpMyAdmin | CVE #(s): | |||||||||
| Created: | July 18, 2011 | Updated: | July 20, 2011 | ||||||||
| Description: | From the phpMyAdmin advisories [1; 2; 3; 4]:
It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. This could open a path for other attacks. An unsanitized key from the Servers array is written in a comment of the generated config. An attacker can modify this key by modifying the SESSION superglobal array. This allows the attacker to close the comment and inject code. Through a possible bug in PHP, a null byte can truncate the pattern string allowing an attacker to inject the /e modifier causing the preg_replace function to execute its second argument as PHP code. Fixed filtering of a file path in the MIME-type transformation code, which allowed for directory traversal. | ||||||||||
| Alerts: |
| ||||||||||
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey | CVE #(s): | |||||
| Created: | July 15, 2011 | Updated: | July 20, 2011 | ||||
| Description: | Seamonkey 2.2 fixes multiple issues. See the change log for details. | ||||||
| Alerts: |
| ||||||
system-config-firewall: privilege escalation/arbitrary code execution
| Package(s): | system-config-firewall | CVE #(s): | CVE-2011-2520 | ||||||||||||
| Created: | July 19, 2011 | Updated: | August 2, 2011 | ||||||||||||
| Description: | From the Red Hat advisory:
It was found that system-config-firewall used the Python pickle module in an insecure way when sending data (via D-Bus) to the privileged back-end mechanism. A local user authorized to configure firewall rules using system-config-firewall could use this flaw to execute arbitrary code with root privileges, by sending a specially-crafted serialized object. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>