Debian Bug report logs - #504352
eog: Python scripts load modules from current directory

version graph

Package: eog; Maintainer for eog is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for eog is src:eog.

Reported by: James Vega <jamessan@debian.org>

Date: Mon, 3 Nov 2008 00:33:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions eog/2.22.3-1, eog/2.20.4-1

Fixed in version eog/2.22.3-2

Done: Josselin Mouette <joss@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, gpastore@debian.org (Guilherme de S. Pastore):
Bug#504352; Package eog. (Mon, 03 Nov 2008 00:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, gpastore@debian.org (Guilherme de S. Pastore). (Mon, 03 Nov 2008 00:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: submit@bugs.debian.org
Subject: eog: Python scripts load modules from current directory
Date: Sun, 2 Nov 2008 19:27:38 -0500
[Message part 1 (text/plain, inline)]
Package: eog
Version: 2.22.3-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

eog's python interface calls PySys_SetArgv with an argv[0] that doesn't
resolve to a filename.  This causes Python to prepend sys.path with an
empty string which, due to the use of relative imports, allows the
possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module eog tries to
import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[02_sanitize_sys.path.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug marked as found in version 2.20.4-1. Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 01:36:03 GMT) Full text and rfc822 format available.

Tags added: upstream Request was from James Vega <jamessan@debian.org> to control@bugs.debian.org. (Mon, 03 Nov 2008 03:03:02 GMT) Full text and rfc822 format available.

Reply sent to Josselin Mouette <joss@debian.org>:
You have taken responsibility. (Thu, 06 Nov 2008 09:58:55 GMT) Full text and rfc822 format available.

Notification sent to James Vega <jamessan@debian.org>:
Bug acknowledged by developer. (Thu, 06 Nov 2008 09:58:56 GMT) Full text and rfc822 format available.

Message #14 received at 504352-close@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: 504352-close@bugs.debian.org
Subject: Bug#504352: fixed in eog 2.22.3-2
Date: Thu, 06 Nov 2008 09:17:14 +0000
Source: eog
Source-Version: 2.22.3-2

We believe that the bug you reported is fixed in the latest version of
eog, which is due to be installed in the Debian FTP archive:

eog-dbg_2.22.3-2_amd64.deb
  to pool/main/e/eog/eog-dbg_2.22.3-2_amd64.deb
eog-dev_2.22.3-2_all.deb
  to pool/main/e/eog/eog-dev_2.22.3-2_all.deb
eog_2.22.3-2.diff.gz
  to pool/main/e/eog/eog_2.22.3-2.diff.gz
eog_2.22.3-2.dsc
  to pool/main/e/eog/eog_2.22.3-2.dsc
eog_2.22.3-2_amd64.deb
  to pool/main/e/eog/eog_2.22.3-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504352@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated eog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 06 Nov 2008 09:04:21 +0100
Source: eog
Binary: eog eog-dbg eog-dev
Architecture: source all amd64
Version: 2.22.3-2
Distribution: unstable
Urgency: high
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 eog        - Eye of GNOME graphics viewer program
 eog-dbg    - Eye of GNOME graphics viewer program - debugging symbols
 eog-dev    - Development files for the Eye of GNOME
Closes: 504352
Changes: 
 eog (2.22.3-2) unstable; urgency=high
 .
   [ Deng Xiyue ]
   * 02_sanitize_sys.path.patch: fix possible security problem caused by
     empty sys.path which allows the possibility to run arbitrary code by a
     file matches the name of a python module in user's working directory.
     Thanks James Vega <jamessan@debian.org> for the patch.
     (Closes: #504352)
Checksums-Sha1: 
 b9b9fa5d60d7c12d1779c7e86fd43420d3ca7321 1760 eog_2.22.3-2.dsc
 88cd7dae28d0ac3a8c7a90bf8c8497444c2a30d1 12806 eog_2.22.3-2.diff.gz
 8b9a65f0e638468af4ded527785d724e0cd9fdcc 81452 eog-dev_2.22.3-2_all.deb
 3c956063729f37cb7054596e815781489c02c0f5 2145448 eog_2.22.3-2_amd64.deb
 6e19d6cf18b24e53f9b63cd54a0cb4f506cd03e0 631962 eog-dbg_2.22.3-2_amd64.deb
Checksums-Sha256: 
 61e90102ff0765e0def54936f8b3ed8161fd7d40cac46da8f70759c2f8796a50 1760 eog_2.22.3-2.dsc
 1ff32fcb605c336de9a5887eba5a9e8de40b50da7060a72ba6c325581a96d72a 12806 eog_2.22.3-2.diff.gz
 0d7432581bbf11baee0d6ef78484c348fddf7d32e1d90f692358c60c96b11985 81452 eog-dev_2.22.3-2_all.deb
 258b0eb93737ea9a0f27a4186e2bb4c51d6786ef757fd4e72242f4c4becb3d40 2145448 eog_2.22.3-2_amd64.deb
 14f49aeb1d17ae4492bb32b76a81d814b250aae857b7938672375e03daf673ec 631962 eog-dbg_2.22.3-2_amd64.deb
Files: 
 c58342d95c9b9f488f714135dbb913d5 1760 gnome optional eog_2.22.3-2.dsc
 c3592268991190ace97dd619b2b4ee78 12806 gnome optional eog_2.22.3-2.diff.gz
 a49caaeaace39a101a2ab58957f68b64 81452 gnome optional eog-dev_2.22.3-2_all.deb
 0476a51c03663a79ea13ce68738e8f0a 2145448 gnome optional eog_2.22.3-2_amd64.deb
 8d686780c8eba2f0bf8da08c1c18b925 631962 gnome extra eog-dbg_2.22.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJEqeArSla4ddfhTMRApMTAJ9lcW1WOhTbs76dIijvBHrcCFOXwwCgn7c5
skEN6Qo22TnqNL56zSX8Vvo=
=0shJ
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, gpastore@debian.org (Guilherme de S. Pastore):
Bug#504352; Package eog. (Thu, 04 Dec 2008 20:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to James Vega <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to gpastore@debian.org (Guilherme de S. Pastore). (Thu, 04 Dec 2008 20:27:04 GMT) Full text and rfc822 format available.

Message #19 received at 504352@bugs.debian.org (full text, mbox):

From: James Vega <jamessan@debian.org>
To: 503632@bugs.debian.org, 504251@bugs.debian.org, 504352@bugs.debian.org, 504359@bugs.debian.org, 504363@bugs.debian.org
Subject: Suggested patch isn't applicable to all OSes
Date: Thu, 4 Dec 2008 15:23:47 -0500
[Message part 1 (text/plain, inline)]
As I discovered while discussing the Python path patch with Vim's
upstream[0], the patch I suggested to fix these bugs only works if the
libc follows SUS' definition[1] of how realpath(3) works.

Specifically, it must return NULL when given an empty string for the
path.  At least FreeBSD instead returns the current working directory of
the process[2], which means that removing the empty elements from
sys.path no longer has an effect.

When sending bug reports to your respective upstream, I'd suggest either
adjusting the patch to simply remove the first element of sys.path or
give a garbage path to PySys_SetArgv and explicitly filter that out of
sys.path (as was done by Vim's upstream[3]).

[0] - http://bugs.debian.org/493937
[1] - http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html
[2] - http://www.freebsd.org/cgi/query-pr.cgi?pr=128933
[3] - http://ftp.vim.org/pub/vim/patches/7.2/7.2.045
-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan@debian.org>
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 02 Jan 2009 07:28:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:09:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.