GNOME Bugzilla – Bug 317637
Arbitrary code execution on SVG import
Last modified: 2005-10-08 18:47:46 UTC
A Debian user found a possibility to execute arbitrary code on "plain SVG" import.
Attached is an exploit and a patch (that still applies to HEAD, just missing a
former eval() call, not present anymore).
See also http://bugs.debian.org/330890
Created attachment 52880 [details]
Created attachment 52881 [details] [review]
Created attachment 53236 [details] [review]
A new patch just applied to cvs
I didn't like the approach of the previous patch so I've implemented a
different solution. Instead of unconditionally replacing possibly perfectly
valid chars it
restricts the environment eval() is running in.
The simple use case for diasvg_import.py is calling one member function on an
already existing object. It does not need any __builtins__ like __import__.
The exploit at hand is detected and prevented by this fix. But I'm not a
security expert so I'd appreciate further review.
The relevant ChangeLog entry is :
2005-10-08 Hans Breuer <email@example.com>
* plug-ins/python/diasvg_import.py : restrict what eval() can do
with strings from svg files. Fixes the arbitrary code execution from