After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 317637 - Arbitrary code execution on SVG import
Arbitrary code execution on SVG import
Product: dia
Classification: Other
Component: import
CVS head
Other Linux
: Normal normal
: 0.95
Assigned To: Dia maintainers
Dia maintainers
Depends on:
Reported: 2005-09-30 19:15 UTC by Roland Stigge
Modified: 2005-10-08 18:47 UTC
See Also:
GNOME target: ---
GNOME version: ---

exploit.svg (3.77 KB, image/svg+xml)
2005-09-30 19:15 UTC, Roland Stigge
dia.patch (1.89 KB, patch)
2005-09-30 19:16 UTC, Roland Stigge
none Details | Review
A new patch just applied to cvs (1.98 KB, patch)
2005-10-08 18:42 UTC, Hans Breuer
committed Details | Review

Description Roland Stigge 2005-09-30 19:15:00 UTC
Distribution/Version: Debian

A Debian user found a possibility to execute arbitrary code on "plain SVG" import.

Attached is an exploit and a patch (that still applies to HEAD, just missing a
former eval() call, not present anymore).

See also
Comment 1 Roland Stigge 2005-09-30 19:15:46 UTC
Created attachment 52880 [details]
Comment 2 Roland Stigge 2005-09-30 19:16:17 UTC
Created attachment 52881 [details] [review]
Comment 3 Hans Breuer 2005-10-08 18:42:58 UTC
Created attachment 53236 [details] [review]
A new patch just applied to cvs

I didn't like the approach of the previous patch so I've implemented a
different solution. Instead of unconditionally replacing possibly perfectly
valid chars it
restricts the environment eval() is running in.
The simple use case for is calling one member function on an
already existing object. It does not need any __builtins__ like __import__.
The exploit at hand is detected and prevented by this fix. But I'm not a
security expert so I'd appreciate further review.

The relevant ChangeLog entry is :

2005-10-08  Hans Breuer  <>

	* plug-ins/python/ : restrict what eval() can do
	with strings from svg files. Fixes the arbitrary code execution from 
	bug #317637