Bug 1718204 (CVE-2019-12761)

Summary: CVE-2019-12761 pyxdg: code injection via crafted python code
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mbenatto, mclasen, sindrepb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pyxdg-0.26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:28:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1718205, 1725109    
Bug Blocks: 1718206    

Description Dhananjay Arunesh 2019-06-07 09:10:47 UTC 
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Reference:
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562

Upstream commit:
https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
Comment 1 Dhananjay Arunesh 2019-06-07 09:11:09 UTC 
Created pyxdg tracking bugs for this issue:

Affects: epel-7 [bug 1718205]
Comment 4 Marco Benatto 2019-06-28 13:09:55 UTC 
External References:

https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
Comment 6 Marco Benatto 2019-06-28 14:15:25 UTC 
Statement:

This issue have a Moderate security impact and affects pyxdg version as shipped with Red Hat Enterprise Linux 6 and 8. For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 7 Marco Benatto 2019-06-28 14:28:16 UTC 
Upstream commit for this issue:

https://gitlab.freedesktop.org/xdg/pyxdg/commit/aa4ce1bbc59def6975c9dd1598aafb3ef3fea681
Comment 8 Marco Benatto 2019-06-28 14:33:36 UTC 
pyxdg package up to version 0.25 allows arbitraty code execution via crafted XDG file. The issue happens due to lack of proper input validation when parsing the menu file. When the crafted menu file is parsed by pyxdg library, the injected code end up executed due to a bad sanitized eval() call.
Comment 9 Tom "spot" Callaway 2019-06-28 15:37:22 UTC 
Marco, that commit in Comment 7 seems like it's doing a lot more than just fixing the CVE. The change in https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on point for a 0.25 fix.

As a reminder, Fedora is not vulnerable here because all stable branches are on 0.26. EPEL-7 is vulnerable.
Comment 10 Marco Benatto 2019-06-28 17:16:10 UTC 
(In reply to Tom "spot" Callaway from comment #9)
> Marco, that commit in Comment 7 seems like it's doing a lot more than just
> fixing the CVE. The change in
> https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on
> point for a 0.25 fix.
> 
> As a reminder, Fedora is not vulnerable here because all stable branches are
> on 0.26. EPEL-7 is vulnerable.

Hi Tom,

thanks for pointing this out. I do agree, I think the merge request is still pending
by upstream at this point. I defer to you guys what would be the best approach fixing this.

Thanks for the follow up.