Debian Bug report logs - #330893
eric: Arbitrary code execution when generating documentation for a malicious project file

version graph

Package: eric; Maintainer for eric is Gudjon I. Gudjonsson <gudjon@gudjon.org>; Source for eric is src:eric.

Reported by: Joxean Koret <joxeankoret@yahoo.es>

Date: Fri, 30 Sep 2005 10:48:03 UTC

Severity: grave

Tags: etch, fixed, sarge

Found in version eric/3.6.2-1

Fixed in version 3.7.2-1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Torsten Marek <shlomme@gmx.net>:
Bug#330893; Package eric. Full text and rfc822 format available.

Acknowledgement sent to Joxean Koret <joxeankoret@yahoo.es>:
New Bug report received and forwarded. Copy sent to Torsten Marek <shlomme@gmx.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joxean Koret <joxeankoret@yahoo.es>
To: submit@bugs.debian.org
Subject: eric: Arbitrary code execution when generating documentation for a malicious project file
Date: Fri, 30 Sep 2005 12:50:49 +0200
[Message part 1 (text/plain, inline)]
Subject: eric: Arbitrary code execution
Package: eric
Version: 3.6.2-1
Severity: grave
Justification: user security hole

The ERIC IDE uses in the project files the python syntax for various
configurable params as, in example, to generate the project
documentation. Well, due to the usage of python source in the project
file a malicious user can create a malicious project file that will
execute arbitrary code when trying to generate the project
documentation.

I contact the Eric project author and a fix for the issue was released.

Attached goes a working exploit.

Regards,
Joxean Koret


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages eric depends on:
ii  bicyclerepair                 0.9-3      A refactoring tool for
python
ii  python                        2.3.5-2    An interactive high-level
object-o
ii  python-qt3                    3.13-4     Qt3 bindings for Python
(default v
ii  python-qtext                  3.13-4     Qt extensions for PyQt
(default ve

-- no debconf information

[exploit.e3p (text/xml, attachment)]
[main.py (text/x-python, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#330893; Package eric. Full text and rfc822 format available.

Acknowledgement sent to Torsten Marek <shlomme@gmx.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 330893@bugs.debian.org (full text, mbox):

From: Torsten Marek <shlomme@gmx.net>
To: 330893@bugs.debian.org
Subject: Re: Bug#330893: eric: Arbitrary code execution when generating documentation for a malicious project file
Date: Sat, 01 Oct 2005 15:58:14 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joxean Koret schrieb:
> Subject: eric: Arbitrary code execution
> Package: eric
> Version: 3.6.2-1
> Severity: grave
> Justification: user security hole
> 
> The ERIC IDE uses in the project files the python syntax for various
> configurable params as, in example, to generate the project
> documentation. Well, due to the usage of python source in the project
> file a malicious user can create a malicious project file that will
> execute arbitrary code when trying to generate the project
> documentation.
> 
> I contact the Eric project author and a fix for the issue was released.
> 
> Attached goes a working exploit.
> 
> Regards,
> Joxean Koret
> 

Hi,

I've backported the fix from 3.7.2 and contacted Debian Security.

greetings

Torsten
- --
Torsten Marek <shlomme@gmx.net>
ID: A244C858 -- FP: 1902 0002 5DFC 856B F146  894C 7CC5 451E A244 C858
Keyserver: subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDPpX1fMVFHqJEyFgRAgHEAJ94hK/VFTA5Yf5ieam99PzmKWc5/QCdEOK1
fs6TZ+52NmVFqcKTBxJBdqg=
=ZIc2
-----END PGP SIGNATURE-----



Tags added: sarge, etch Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joxean Koret <joxeankoret@yahoo.es>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 330893-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 330893-done@bugs.debian.org
Subject: Re: eric: Arbitrary code execution when generating documentation for a malicious project file
Date: Tue, 11 Oct 2005 04:41:11 -0700
[Message part 1 (text/plain, inline)]
Version: 3.7.2-1

> I've backported the fix from 3.7.2 and contacted Debian Security.

I understand this to mean that the bug is fixed in the version 3.7.2-1
uploaded to unstable, and that this report should therefore be marked as
fixed in this version.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Torsten Marek <shlomme@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Torsten Marek <shlomme@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:33:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:27:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.