Untrusted search path vulnerability in the Python module of xchat allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. References (test case, PoC): http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Proposed patch: The Debian patch for similar dia's Python related issue, available at: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251 should be sufficient to resolve this issue.
This issue does NOT affect the version of the xchat package, as shipped with Red Hat Enterprise Linux 2.1 This issue affects the versions of the xchat package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. Comment relevant to fixes for RHEL-{3,4,5}: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
This issue affects all versions of the xchat package, as shipped with Fedora releases of 9, 10 and devel. Please fix.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0315 the following vulnerability: Untrusted search path vulnerability in the Python module in xchat allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0315 http://www.openwall.com/lists/oss-security/2009/01/26/2
More explanation why this issue wasn't fixed in Python yet, can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5 Looks like the Python fix won't come anytime soon, so please fix the issue in the package, till we find the proper Python solution. Ray Strode's test case to check the work of the fix can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8
Created attachment 341543 [details] reproducer: dummy xchat module
Created attachment 341544 [details] reproducer: trojan gtk module
The issue is reproducible on RHEL-{4,5}. On RHEL-3 it seems it's not vulnerable. Steps to reproduce: 1. mkdir /tmp/trojan 2. download both reproducers to the directory above 3. cd /tmp/trojan 4. xchat 5. menu window -> plugins -> load -> dummy.py 6. i'm trojan will appear in xchat windows if vulnerable Note: xchat is not vulnerable when the plugin is placed into ~/.xchat2 and loaded automatically upon xchat startup, the vulnerability appears only when the plugin is added manually.
This issue does not affect xchat for Red Hat Enterprise Linux 3. This issue does affect xchat for Red Hat Enterprise Linux 4 and 5.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.