After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 581177 - CVE-2008-5984: Untrusted search path vulnerability in the Python plugin
CVE-2008-5984: Untrusted search path vulnerability in the Python plugin
Status: RESOLVED FIXED
Product: dia
Classification: Other
Component: python
0.96
Other All
: Normal normal
: 0.97.1
Assigned To: Hans Breuer
Hans Breuer
: 734674 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2009-05-03 10:53 UTC by Robert Buchholz
Modified: 2014-08-12 19:24 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Robert Buchholz 2009-05-03 10:53:00 UTC 
Please describe the problem:
The following security issue has been reported for Dia:

CVE-2008-5984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5984):
  Untrusted search path vulnerability in the Python plugin in Dia
  0.96.1, and possibly other versions, allows local users to execute
  arbitrary code via a Trojan horse Python file in the current working
  directory, related to a vulnerability in the PySys_SetArgv function
  (CVE-2008-5983).



Steps to reproduce:
1. cd /tmp
2. echo "import os\nos.system('/usr/bin/zenity --warning --text=Vulnerable')" > string.py
3. dia


Actual results:
Pop-up box saying "vulnerable"

Expected results:
Do not execute code from working directory as it might not be trusted.

Does this happen every time?
Yes.

Other information:
There is a patch applied in Debian and Fedora here:
http://cvs.fedoraproject.org/viewvc/rpms/dia/devel/dia-0.96.1-pythonpath.patch?revision=1.1&view=markup

Note that the patch has issues with certain non-gnu libc implementations as pointed out here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251#26

Downstream bug reports:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251
https://bugzilla.redhat.com/show_bug.cgi?id=481551
https://bugs.gentoo.org/show_bug.cgi?id=257020
Comment 1 Hans Breuer 2009-05-24 15:47:37 UTC 
Applied the debian patch, will be available with 0.97.1 or 0.98 - which ever comes first.
http://git.gnome.org/cgit/dia/commit/?id=f65009acefcde9b786fe9dab46a3ad044ce3a295
Comment 2 Hans Breuer 2009-06-07 17:03:50 UTC 
I should have checked it more thoroughly - that patch just disables the loading of all python plug-ins! There is an easier way to disable pydia, just don't give --with-python at compile time.
Comment 3 Robert Buchholz 2009-07-19 15:04:52 UTC 
Hans, have you looked into a correct patch yet?

If loading of plug-ins is disabled with the patch applied, the solution is probably to add (at installation time) the full path to the plug-ins in sys.path of the plug-in loader.
Comment 4 Hans Breuer 2009-10-23 15:11:59 UTC 
Seems like I was just confused by the coincidence of Gentoo loosing the Dia Pythhon support for me at the time of testing:

  21 Jun 2009; <mrpouet@gentoo.org> dia-0.97.ebuild,
  +files/dia-0.97-acinclude-python-fixes.patch:
  Fix compilation error with USE="python", bug #271855, and fix missing EAPI="2"

http://bugs.gentoo.org/show_bug.cgi?id=271855

Sorry for the false alarm.
Comment 5 Hans Breuer 2014-08-12 19:24:18 UTC 
*** Bug 734674 has been marked as a duplicate of this bug. ***