Bug 2270185 (CVE-2023-41334)

Summary: CVE-2023-41334 python-astropy: Remote code execution in TranformGraph().to_dot_graph function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2270186, 2270187    
Bug Blocks:    

Description Pedro Sampaio 2024-03-18 20:12:58 UTC 
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`.  Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

References:

https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
Comment 1 Pedro Sampaio 2024-03-18 20:13:14 UTC 
Created python-astropy tracking bugs for this issue:

Affects: epel-all [bug 2270186]
Affects: fedora-all [bug 2270187]