Bug 481560 - (CVE-2009-0315) CVE-2009-0315 xchat: untrusted python modules search path
CVE-2009-0315 xchat: untrusted python modules search path
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.nabble.com/Bug-484305%3A-b...
impact=low,public=20080806,reported=2...
: Security
Depends On: CVE-2008-5983
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-26 06:40 EST by Jan Lieskovsky
Modified: 2015-08-21 23:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-21 23:28:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
reproducer: dummy xchat module (160 bytes, text/plain)
2009-04-28 05:46 EDT, Petr Šplíchal
no flags Details
reproducer: trojan gtk module (43 bytes, text/plain)
2009-04-28 05:47 EDT, Petr Šplíchal
no flags Details

  None (edit)
Description Jan Lieskovsky 2009-01-26 06:40:44 EST
Untrusted search path vulnerability in the Python module of xchat allows local
users to execute arbitrary code via a Trojan horse Python file in the
current working directory, related to an erroneous setting of sys.path
by the PySys_SetArgv function.

References (test case, PoC):
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

Proposed patch:
The Debian patch for similar dia's Python related issue,
available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251

should be sufficient to resolve this issue.
Comment 1 Jan Lieskovsky 2009-01-26 06:42:58 EST
This issue does NOT affect the version of the xchat package, as shipped
with Red Hat Enterprise Linux 2.1

This issue affects the versions of the xchat package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

Comment relevant to fixes for RHEL-{3,4,5}:

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.  More information regarding
issue severity can be found here:
http://www.redhat.com/security/updates/classification/
Comment 2 Jan Lieskovsky 2009-01-26 06:43:42 EST
This issue affects all versions of the xchat package, as shipped 
with Fedora releases of 9, 10 and devel.

Please fix.
Comment 5 Jan Lieskovsky 2009-01-28 05:45:07 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0315
the following vulnerability:

Untrusted search path vulnerability in the Python module in xchat
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to a vulnerability in
the PySys_SetArgv function (CVE-2008-5983).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0315
http://www.openwall.com/lists/oss-security/2009/01/26/2
Comment 7 Jan Lieskovsky 2009-01-29 06:28:35 EST
More explanation why this issue wasn't fixed in Python yet, can be
found here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4

and here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5

Looks like the Python fix won't come anytime soon, so please
fix the issue in the package, till we find the proper Python solution.

Ray Strode's test case to check the work of the fix can be found here:

https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8
Comment 8 Petr Šplíchal 2009-04-28 05:46:42 EDT
Created attachment 341543 [details]
reproducer: dummy xchat module
Comment 9 Petr Šplíchal 2009-04-28 05:47:23 EDT
Created attachment 341544 [details]
reproducer: trojan gtk module
Comment 10 Petr Šplíchal 2009-04-28 05:54:54 EDT
The issue is reproducible on RHEL-{4,5}.
On RHEL-3 it seems it's not vulnerable.
Steps to reproduce:

1. mkdir /tmp/trojan
2. download both reproducers to the directory above
3. cd /tmp/trojan
4. xchat
5. menu window -> plugins -> load -> dummy.py
6. i'm trojan will appear in xchat windows if vulnerable

Note: xchat is not vulnerable when the plugin is placed into ~/.xchat2 and loaded automatically upon xchat startup, the vulnerability appears only when the plugin is added manually.
Comment 11 Josh Bressers 2010-05-19 16:27:04 EDT
This issue does not affect xchat for Red Hat Enterprise Linux 3.

This issue does affect xchat for Red Hat Enterprise Linux 4 and 5.
Comment 12 Vincent Danen 2015-08-21 23:28:16 EDT
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.