Bug 569228 – eog: untrusted python modules search path

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 569228 - eog: untrusted python modules search path


Summary:	eog: untrusted python modules search path


Status:	RESOLVED NOTGNOME

Product:	eog-plugins
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	EOG Maintainers
QA Contact:	EOG Maintainers

URL:
Whiteboard:

Depends on:
Blocks:	569273

Reported:	2009-01-26 18:26 UTC by Bastien Nocera
Modified:	2019-02-22 03:17 UTC

See Also:
GNOME target:	2.26.x
GNOME version:	---

Description Bastien Nocera 2009-01-26 18:26:29 UTC

+++ This bug was initially created as a clone of Bug #569214 +++

(From Jan Lieskovsky, https://bugzilla.redhat.com/show_bug.cgi?id=481556)

"Untrusted search path vulnerability in gedit's Python module allows local
users to execute arbitrary code via a Trojan horse Python file in the
current working directory, related to an erroneous setting of sys.path
by the PySys_SetArgv function.

References:
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

Debian bug report for similar eog issue:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504352#4

Proposed patch:
Not sure, if gedi'ts upstream has been reported about this issue.
The Debian patch for similar eog's Python related issue,
available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=02_sanitize_sys.path.patch;att=1;bug=504352

should be sufficient to resolve this issue."

There's no CVE assigned yet, but one has been requested.  The security severity is considered "low".

Comment 1 Claudio Saavedra 2009-01-26 18:59:27 UTC

Committed to both trunk and gnome-2-24. Wondering now if I should do a stable release for this or just trust distributors to do the right thing... Any suggestion, Bastien?

2009-01-26  Claudio Saavedra  <csaavedra@igalia.com>

	* src/eog-python-module.c: (eog_python_init): Sanitize sys.path.
	Fixes bug #569228 (James Vega)

Comment 2 Bastien Nocera 2009-01-26 20:28:38 UTC

Reopening. Please monitor bug 569214, as the fix doesn't work.

Comment 3 Felix Riemann 2009-02-05 08:35:52 UTC

So, from what I can see there seem to be two workarounds for this problem.

The one Ray Strode applies to Fedora's gedit package (bug 569214, attachment 127294 [details] [review]) which sets the argv to the plugin directory.

The second one being from Morten Welinder for Gnumeric (bug 569648), which sets argv to a partially made up path appended to /dev/null.

Not sure which one is better though.


Waiting for Python to fix this doesn't seem to be an option to me right now, as such a fix is apparently not really imminent.


We also got an CVE-ID assigned for this,btw: CVE-2008-5987 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5987)

Comment 4 Felix Riemann 2009-02-16 13:57:13 UTC

Used Morten's workaround for Gnumeric now:

2009-02-16  Felix Riemann  <>

	* src/eog-python-module.c: (eog_python_init):
	Add a further workaround for the python searchpath issue.
	Works around bug #569228 (Morten Welinder).

Together with the still present filter from James Vega this hopefully makes eog pretty robust against that problem.
As the problem lies in Python itself, marking this as NOTGNOME.