Bug 120091

Summary:	VUL-0: dia: arbitary python code execution when opening files
Product:	[openSUSE] SUSE Linux 10.1	Reporter:	Thomas Biege <thomas>
Component:	Other	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P5 - None	CC:	gnome-bugs, mls, patch-request, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-2966: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	dia.patch

Description Thomas Biege 2005-10-04 13:32:47 UTC

Hi,
we  received this via venor-sec but it's public. Let's do a full security update.

From: Steve Kemp <skx@debian.org>
To: vendor-sec@lst.de
Reply-To: Steve Kemp <skx@debian.org>
User-Agent: Mutt/1.5.9i
Subject: [vendor-sec] dia - arbitary python code execution when opening files.
Errors-To: vendor-sec-admin@lst.de
Date: Sun, 2 Oct 2005 14:21:18 +0100

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GrÃ¶Ãe: 0,4K --]

  A public hole in dia SVG import is described here:

   http://bugzilla.gnome.org/show_bug.cgi?id=317637

  Joxean Koret discovered that the SVG import plugin in dia, a
 vector-oriented diagram editor, does not properly sanitise data read
 from an SVG file and is hence vulnerable to execute arbitrary Python
 code.

  The ID CAN-2005-2966 has been allocated by the Debian Security Team,
 and the patch is attached.

Steve
--

[-- Anhang #2: dia.patch --]
[-- Typ: text/plain, Kodierung: 7bit, GrÃ¶Ãe: 1,9K --]

Comment 1 Thomas Biege 2005-10-04 13:33:34 UTC

Created attachment 51395 [details]
dia.patch

Comment 2 Stanislav Brabec 2005-10-04 16:14:27 UTC

Fixed for 9.3, sles9-sld-beta, 10.0, STABLE and PLUS.

I did not found corresponding code in older versions.

Comment 3 Thomas Biege 2005-10-05 13:37:33 UTC

Thanks a lot!


Maintenance-Tracker-2515

Comment 4 Thomas Biege 2005-10-05 13:43:18 UTC

/work/src/done/PATCHINFO/dia.patch.box
/work/src/done/PATCHINFO/dia.patch.maintained

Comment 5 Michael Schröder 2005-10-06 13:31:12 UTC

Stanislav, I also need a version for SLES9 (i.e. 
against /work/SRC/old-versions/9.1/SLES/all/dia) and SLES9-SLD 
(/work/SRC/old-versions/9.1/SLD/all/dia). 
Or aren't they affected?

Comment 6 Michael Schröder 2005-10-06 13:32:56 UTC

Oh wait, you already answered that. So dia.patch.maintained is not needed.

Comment 7 Stanislav Brabec 2005-10-06 14:06:32 UTC

Older versions don't contain python/diasvg_import.py but
plug-ins/python/diasvg.py, which seems to be different.

Comment 8 Marcus Meissner 2005-10-06 14:09:15 UTC

i cross checked an can confirm tghat. 
 
the 0.92.2 version does not have the self.eval constructs.

Comment 9 Stanislav Brabec 2005-10-12 13:11:13 UTC

Cound you provide dia.patch.maintained for SLD-BETA, too? Thanks.

Comment 10 Thomas Biege 2005-10-12 13:25:02 UTC

Is this really needed? I never did a *-BETA patchinfo.

Comment 11 Stanislav Brabec 2005-10-12 13:31:10 UTC

It should have either this common SWAMP ID or the security SWAMP ID.

Joachim Werner wrote:

I've just talked with Anja Stock and Rudi Oertel about how we should handle 
the NLD-specific SP3 packages.

We agreed that it makes a lot of sense to use the same model as with the SLES9 
SPs this time:

There is one SWAMPID 2558 for all of them, and we will require patchinfos for 
every package that goes in. That makes tracking things much easier.

Comment 12 Marcus Meissner 2005-10-12 13:41:54 UTC

stanislav, you need to write it in this case. (or the one who upgraded dia 
for NLD9-SP3). Since we never released this update, there is no need for us 
to be involved. 
 
all affected packages released.

Comment 13 Thomas Biege 2009-10-13 21:39:09 UTC

CVE-2005-2966: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)