[Secure-testing-team] Bug#504251: dia: Python scripts load modules from current directory

James Vega jamessan at debian.org
Sun Nov 2 05:21:32 UTC 2008 

Package: dia
Version: 0.96.1-7
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

dia's python interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in dia's
working directory named the same as one that dia's python scripts try to
import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dia depends on:
pn  dia-common             <none>            (no description available)
pn  dia-libs               <none>            (no description available)
ii  libart-2.0-2           2.3.20-2          Library of functions for 2D graphi
ii  libatk1.0-0            1.22.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-15            GNU C Library: Shared libraries
ii  libcairo2              1.6.4-6.1         The Cairo 2D vector graphics libra
ii  libfontconfig1         2.6.0-1           generic font configuration library
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libglib2.0-0           2.16.6-1          The GLib library of C routines
ii  libgtk2.0-0            2.12.11-4         The GTK+ graphical user interface 
ii  libpango1.0-0          1.20.5-3          Layout and rendering of internatio
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libpopt0               1.14-4            lib for parsing cmdline parameters
ii  libxml2                2.6.32.dfsg-4     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages dia recommends:
ii  gsfonts-x11                   0.21       Make Ghostscript fonts available t

dia suggests no packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pythonpath.diff
Type: text/x-c
Size: 330 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/28efa534/attachment.bin

More information about the Secure-testing-team mailing list