Debian Bug report logs - #504251
dia: Python scripts load modules from current directory

version graph

Package: dia; Maintainer for dia is Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>; Source for dia is src:dia.

Reported by: James Vega <jamessan@debian.org>

Date: Sun, 2 Nov 2008 05:24:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions dia/0.96.1-7, dia/0.95.0-4.1

Fixed in version dia/0.96.1-7.1

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>:
Bug#504251; Package dia. (Sun, 02 Nov 2008 05:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>. (Sun, 02 Nov 2008 05:24:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dia: Python scripts load modules from current directory
Date: Sun, 02 Nov 2008 01:21:32 -0400
[Message part 1 (text/plain, inline)]
Package: dia
Version: 0.96.1-7
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

dia's python interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in dia's
working directory named the same as one that dia's python scripts try to
import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dia depends on:
pn  dia-common             <none>            (no description available)
pn  dia-libs               <none>            (no description available)
ii  libart-2.0-2           2.3.20-2          Library of functions for 2D graphi
ii  libatk1.0-0            1.22.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-15            GNU C Library: Shared libraries
ii  libcairo2              1.6.4-6.1         The Cairo 2D vector graphics libra
ii  libfontconfig1         2.6.0-1           generic font configuration library
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libglib2.0-0           2.16.6-1          The GLib library of C routines
ii  libgtk2.0-0            2.12.11-4         The GTK+ graphical user interface 
ii  libpango1.0-0          1.20.5-3          Layout and rendering of internatio
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libpopt0               1.14-4            lib for parsing cmdline parameters
ii  libxml2                2.6.32.dfsg-4     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages dia recommends:
ii  gsfonts-x11                   0.21       Make Ghostscript fonts available t

dia suggests no packages.
[pythonpath.diff (text/x-c, attachment)]

Bug marked as found in version 0.95.0-4.1. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Sun, 02 Nov 2008 06:27:03 GMT) Full text and rfc822 format available.

Tags added: upstream Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 03:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>:
Bug#504251; Package dia. (Sat, 15 Nov 2008 21:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>. (Sat, 15 Nov 2008 21:51:03 GMT) Full text and rfc822 format available.

Message #14 received at 504251@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 504251@bugs.debian.org
Subject: dia: diff for NMU version 0.96.1-7.1
Date: Sat, 15 Nov 2008 22:39:55 +0100
[Message part 1 (text/plain, inline)]
tags 504251 + patch
thanks

Hi,

Attached is the diff for my dia 0.96.1-7.1 NMU.

Yours sincerely,
  Alexander
[dia-0.96.1-7.1-nmu.diff (text/x-diff, attachment)]

Tags added: patch Request was from Alexander Reichle-Schmehl <tolimar@debian.org> to control@bugs.debian.org. (Sat, 15 Nov 2008 21:51:05 GMT) Full text and rfc822 format available.

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Sat, 15 Nov 2008 22:27:15 GMT) Full text and rfc822 format available.

Notification sent to James Vega <jamessan@debian.org>:
Bug acknowledged by developer. (Sat, 15 Nov 2008 22:27:16 GMT) Full text and rfc822 format available.

Message #21 received at 504251-close@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 504251-close@bugs.debian.org
Subject: Bug#504251: fixed in dia 0.96.1-7.1
Date: Sat, 15 Nov 2008 22:02:05 +0000
Source: dia
Source-Version: 0.96.1-7.1

We believe that the bug you reported is fixed in the latest version of
dia, which is due to be installed in the Debian FTP archive:

dia-common_0.96.1-7.1_all.deb
  to pool/main/d/dia/dia-common_0.96.1-7.1_all.deb
dia-gnome_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia-gnome_0.96.1-7.1_i386.deb
dia-libs_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia-libs_0.96.1-7.1_i386.deb
dia_0.96.1-7.1.diff.gz
  to pool/main/d/dia/dia_0.96.1-7.1.diff.gz
dia_0.96.1-7.1.dsc
  to pool/main/d/dia/dia_0.96.1-7.1.dsc
dia_0.96.1-7.1_i386.deb
  to pool/main/d/dia/dia_0.96.1-7.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504251@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <tolimar@debian.org> (supplier of updated dia package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 15 Nov 2008 22:11:35 +0100
Source: dia
Binary: dia-common dia-libs dia dia-gnome
Architecture: source all i386
Version: 0.96.1-7.1
Distribution: unstable
Urgency: low
Maintainer: Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>
Changed-By: Alexander Reichle-Schmehl <tolimar@debian.org>
Description: 
 dia        - Diagram editor
 dia-common - Diagram editor (common files)
 dia-gnome  - Diagram editor (GNOME version)
 dia-libs   - Diagram editor (library files)
Closes: 504251
Changes: 
 dia (0.96.1-7.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Applying patch by James Vega to solve module import problem
     (Closes: #504251)
Checksums-Sha1: 
 da0f1e840303dcad56d4cd41288b20f0312fc34c 1352 dia_0.96.1-7.1.dsc
 6c99804836823bd201854dc972413f9459ef81f9 99219 dia_0.96.1-7.1.diff.gz
 1752075d60595e89900b0ebb097c1857e2827bdd 4114168 dia-common_0.96.1-7.1_all.deb
 81efe5af2301d94b662a45a006c4e39c7d0c9a47 716604 dia-libs_0.96.1-7.1_i386.deb
 1930ba01527f83b3b724b1beb90a66db25706457 192482 dia_0.96.1-7.1_i386.deb
 c32255e3d8858d70c2560b41fe0058bd942ee1a3 193430 dia-gnome_0.96.1-7.1_i386.deb
Checksums-Sha256: 
 ed4350897f8bf083b552ab717f0dce3b75dad2e5d1862886be6995870f6f363e 1352 dia_0.96.1-7.1.dsc
 2f8fb2cceb9e6692fa0f363b6a844c3605a65a6b195b0478bd7ad8313cceb977 99219 dia_0.96.1-7.1.diff.gz
 39552adf5fad8f8e4dd56f67b189c604e1327ec7225e4ab972bdaed8f31101b7 4114168 dia-common_0.96.1-7.1_all.deb
 66b586b73e851f503e8b31691e3e98689979ff06a1c4fbc1b9f07e2f379842d5 716604 dia-libs_0.96.1-7.1_i386.deb
 0ccf34b133259564112b12eabd246022a06b4b705c1a2570df44b75553757aa2 192482 dia_0.96.1-7.1_i386.deb
 14820d3a2631be8bd55794cc3224b542be07c095c18773349ea310b158cf2a8d 193430 dia-gnome_0.96.1-7.1_i386.deb
Files: 
 c026ecc8e048b62c65b79a74e603beab 1352 graphics optional dia_0.96.1-7.1.dsc
 3beb636e7057fb512d54bfd86d199204 99219 graphics optional dia_0.96.1-7.1.diff.gz
 364734a637cbe18dfad7fa35cea0ba46 4114168 graphics optional dia-common_0.96.1-7.1_all.deb
 90561d15ec6d2b82d7377effa10e3110 716604 graphics optional dia-libs_0.96.1-7.1_i386.deb
 a75dce54d3c271c4868503a764ac285e 192482 graphics optional dia_0.96.1-7.1_i386.deb
 f375a8acb43e98af2609ac1f93bedfa6 193430 gnome optional dia-gnome_0.96.1-7.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkfQXAACgkQBxd04ADYzRbtDwCeIPjAc6rStoniQ6IYDkb6xkb2
yuwAoJk+k13ZrXAlpjDJ+vtery08rPUs
=Mu3+
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>:
Bug#504251; Package dia. (Thu, 04 Dec 2008 20:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Dia Team <pkg-dia-team@lists.alioth.debian.org>. (Thu, 04 Dec 2008 20:27:03 GMT) Full text and rfc822 format available.

Message #26 received at 504251@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: 503632@bugs.debian.org, 504251@bugs.debian.org, 504352@bugs.debian.org, 504359@bugs.debian.org, 504363@bugs.debian.org
Subject: Suggested patch isn't applicable to all OSes
Date: Thu, 4 Dec 2008 15:23:47 -0500
[Message part 1 (text/plain, inline)]
As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.

Specifically, it must return NULL when given an empty string for the
path.  At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.

When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).

[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:07:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:11:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.