After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 317637 - Arbitrary code execution on SVG import
Arbitrary code execution on SVG import
Status: RESOLVED FIXED
Product: dia
Classification: Other
Component: import
CVS head
Other Linux
: Normal normal
: 0.95
Assigned To: Dia maintainers
Dia maintainers
Depends on:
Blocks:
 
 
Reported: 2005-09-30 19:15 UTC by Roland Stigge
Modified: 2005-10-08 18:47 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
exploit.svg (3.77 KB, image/svg+xml)
2005-09-30 19:15 UTC, Roland Stigge
  Details
dia.patch (1.89 KB, patch)
2005-09-30 19:16 UTC, Roland Stigge
none Details | Review
A new patch just applied to cvs (1.98 KB, patch)
2005-10-08 18:42 UTC, Hans Breuer
committed Details | Review

Description Roland Stigge 2005-09-30 19:15:00 UTC
Distribution/Version: Debian

A Debian user found a possibility to execute arbitrary code on "plain SVG" import.

Attached is an exploit and a patch (that still applies to HEAD, just missing a
former eval() call, not present anymore).

See also http://bugs.debian.org/330890
Comment 1 Roland Stigge 2005-09-30 19:15:46 UTC
Created attachment 52880 [details]
exploit.svg
Comment 2 Roland Stigge 2005-09-30 19:16:17 UTC
Created attachment 52881 [details] [review]
dia.patch
Comment 3 Hans Breuer 2005-10-08 18:42:58 UTC
Created attachment 53236 [details] [review]
A new patch just applied to cvs

I didn't like the approach of the previous patch so I've implemented a
different solution. Instead of unconditionally replacing possibly perfectly
valid chars it
restricts the environment eval() is running in.
The simple use case for diasvg_import.py is calling one member function on an
already existing object. It does not need any __builtins__ like __import__.
The exploit at hand is detected and prevented by this fix. But I'm not a
security expert so I'd appreciate further review.

The relevant ChangeLog entry is :

2005-10-08  Hans Breuer  <hans@breuer.org>

	* plug-ins/python/diasvg_import.py : restrict what eval() can do
	with strings from svg files. Fixes the arbitrary code execution from 
	bug #317637