Bugzilla – Bug 120091
VUL-0: dia: arbitary python code execution when opening files
Last modified: 2009-10-13 21:39:09 UTC
Hi, we received this via venor-sec but it's public. Let's do a full security update. From: Steve Kemp <skx@debian.org> To: vendor-sec@lst.de Reply-To: Steve Kemp <skx@debian.org> User-Agent: Mutt/1.5.9i Subject: [vendor-sec] dia - arbitary python code execution when opening files. Errors-To: vendor-sec-admin@lst.de Date: Sun, 2 Oct 2005 14:21:18 +0100 [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 0,4K --] A public hole in dia SVG import is described here: http://bugzilla.gnome.org/show_bug.cgi?id=317637 Joxean Koret discovered that the SVG import plugin in dia, a vector-oriented diagram editor, does not properly sanitise data read from an SVG file and is hence vulnerable to execute arbitrary Python code. The ID CAN-2005-2966 has been allocated by the Debian Security Team, and the patch is attached. Steve -- [-- Anhang #2: dia.patch --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 1,9K --]
Created attachment 51395 [details] dia.patch
Fixed for 9.3, sles9-sld-beta, 10.0, STABLE and PLUS. I did not found corresponding code in older versions.
Thanks a lot! Maintenance-Tracker-2515
/work/src/done/PATCHINFO/dia.patch.box /work/src/done/PATCHINFO/dia.patch.maintained
Stanislav, I also need a version for SLES9 (i.e. against /work/SRC/old-versions/9.1/SLES/all/dia) and SLES9-SLD (/work/SRC/old-versions/9.1/SLD/all/dia). Or aren't they affected?
Oh wait, you already answered that. So dia.patch.maintained is not needed.
Older versions don't contain python/diasvg_import.py but plug-ins/python/diasvg.py, which seems to be different.
i cross checked an can confirm tghat. the 0.92.2 version does not have the self.eval constructs.
Cound you provide dia.patch.maintained for SLD-BETA, too? Thanks.
Is this really needed? I never did a *-BETA patchinfo.
It should have either this common SWAMP ID or the security SWAMP ID. Joachim Werner wrote: I've just talked with Anja Stock and Rudi Oertel about how we should handle the NLD-specific SP3 packages. We agreed that it makes a lot of sense to use the same model as with the SLES9 SPs this time: There is one SWAMPID 2558 for all of them, and we will require patchinfos for every package that goes in. That makes tracking things much easier.
stanislav, you need to write it in this case. (or the one who upgraded dia for NLD9-SP3). Since we never released this update, there is no need for us to be involved. all affected packages released.
CVE-2005-2966: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)