Bug 481572 (CVE-2009-0318)

Summary: CVE-2009-0318 Gnumeric: untrusted python modules search path
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED RAWHIDE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hdegoede, huzaifas, nfilus, terra
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html
Whiteboard: public=20080806,reported=20081112,source=internet,impact=low
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-16 05:52:58 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 482814    
Bug Blocks:    

Description Jan Lieskovsky 2009-01-26 09:18:04 EST
Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse
Python file in the current working directory, related to an erroneous
setting of sys.path by the PySys_SetArgv function.

References (more details, test case):

Relevant part of the code in

    103         PySys_SetArgv (G_N_ELEMENTS (plugin_argv) - 1, plugin_argv);
    104         py_initgnumeric (interpreter);

Proposed patch:
The Debian patch for similar dia's Python related issue,
available at:


should be sufficient to resolve this issue.
Comment 1 Jan Lieskovsky 2009-01-26 09:19:52 EST
This issue affects all versions of the Gnumeric package, as shipped
with Fedora release of 9, 10 and devel.

Please fix.
Comment 2 Jan Lieskovsky 2009-01-28 06:06:09 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0318 to
this vulnerability:

Untrusted search path vulnerability in the GObject Python interpreter
wrapper in Gnumeric allows local users to execute arbitrary code via a
Trojan horse Python file in the current working directory, related to
a vulnerability in the PySys_SetArgv function (CVE-2008-5983).

Comment 3 M Welinder 2009-01-28 19:30:10 EST
Would it be too much to ask for this to be fixed in Python instead of
going through every single python user and try to fix it there?
Comment 4 Huzaifa S. Sidhpurwala 2009-01-29 05:48:16 EST
The following patch should resolve the issue:


However as per this page 

"Going by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251#26 this
patch may not be sufficient."

So i am not sure if this patch will resolve the issue
Comment 5 Huzaifa S. Sidhpurwala 2009-01-29 06:08:33 EST
Opened an upstream bug at:
Comment 6 Jan Lieskovsky 2009-01-29 06:21:08 EST
More explanation why this issue wasn't fixed in Python yet, can be
found here:




and here:


Looks like the Python fix won't come anytime soon, so please
fix the issue in the package, till we find the proper Python solution.
Comment 7 Jan Lieskovsky 2009-01-29 06:27:23 EST
Ray Strode's test case to check the work of the fix can be found here:

Comment 8 M Welinder 2009-01-29 09:09:03 EST
So it basically boils down to...

    We know it's python's fault, but they don't want to (or cannot figure
    out how to) fix it.  Therefore, let's put a black mark on all these
    applications and work around it there.

How do you know you got them all?  -- including all future users of python.

Upstream fixed:

static char *plugin_argv[] = {(char *) "/dev/null/python/is/buggy/gnumeric", NULL};

(without any filtering)
Comment 9 Huzaifa S. Sidhpurwala 2009-01-30 04:43:39 EST
I am going ahead with my patch,
As per upstream bugzilla reply.

"Huzaifa's patch is OK for Linux, so go ahead and use it."

The upstream has patched it for devel version afaik, which i dont want to package for fedora yet until it stablizes.

F-10 is already build, now for others.
Comment 10 Jan Lieskovsky 2009-01-30 05:00:14 EST
Re comment c#8:

Re: How do you know you got them all?  -- including all future users of python.

1, Searching for the occurrence of 'magic Python string PySys_SetArgv(1, argv)'
   in the code of all the srpms, as shipped within Fedora 10 Everything repo

2, Hoping the people from other distros will do the same with the pkgs,
   they ship.

3, Hoping, the search for complete Python patch won't be neverending
   story and once this fix will get escalated into the Python upstream
   code also.
Comment 11 Nikolaus Filus 2009-02-03 14:08:44 EST
I seem to be a recent victim of this bug as I wondered for several weeks now, why my totem and my rhythmbox players crashed at startup. I even filed bugs for both projects and tried to get help from the developers. After some debuggin it was sure, that python plugins were the culprit as both apps crashed while initializing the embedded interpreter. The reason was actually found now:

I'm a hobby python programmer and downloaded some recipes from ASPN and saved them in my $HOME - one of them was a custom optparse.py! Now most python libs will ask for optparse sooner or later and as $HOME seems to be the CWD for the whole Xorg session all my GUI apps crashed with a SIGSEV when opened from nautilus.

Please try to find a fix ASAP....
Comment 12 Fedora Update System 2009-02-04 21:15:08 EST
gnumeric-1.8.2-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-02-04 21:15:43 EST
gnumeric-1.8.2-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.