Bug 481560 (CVE-2009-0315) - CVE-2009-0315 xchat: untrusted python modules search path
Summary: CVE-2009-0315 xchat: untrusted python modules search path
Status: CLOSED WONTFIX
Alias: CVE-2009-0315
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.nabble.com/Bug-484305%3A-b...
Whiteboard: impact=low,public=20080806,reported=2...
Keywords: Security
Depends On: CVE-2008-5983
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-26 11:40 UTC by Jan Lieskovsky
Modified: 2015-08-22 03:28 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-22 03:28:29 UTC


Attachments (Terms of Use)
reproducer: dummy xchat module (160 bytes, text/plain)
2009-04-28 09:46 UTC, Petr Šplíchal
no flags Details
reproducer: trojan gtk module (43 bytes, text/plain)
2009-04-28 09:47 UTC, Petr Šplíchal
no flags Details

Description Jan Lieskovsky 2009-01-26 11:40:44 UTC
Untrusted search path vulnerability in the Python module of xchat allows local
users to execute arbitrary code via a Trojan horse Python file in the
current working directory, related to an erroneous setting of sys.path
by the PySys_SetArgv function.

References (test case, PoC):
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

Proposed patch:
The Debian patch for similar dia's Python related issue,
available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251

should be sufficient to resolve this issue.

Comment 1 Jan Lieskovsky 2009-01-26 11:42:58 UTC
This issue does NOT affect the version of the xchat package, as shipped
with Red Hat Enterprise Linux 2.1

This issue affects the versions of the xchat package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

Comment relevant to fixes for RHEL-{3,4,5}:

The Red Hat Security Response Team has rated this issue as having low security
impact, a future update may address this flaw.  More information regarding
issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Comment 2 Jan Lieskovsky 2009-01-26 11:43:42 UTC
This issue affects all versions of the xchat package, as shipped 
with Fedora releases of 9, 10 and devel.

Please fix.

Comment 5 Jan Lieskovsky 2009-01-28 10:45:07 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0315
the following vulnerability:

Untrusted search path vulnerability in the Python module in xchat
allows local users to execute arbitrary code via a Trojan horse Python
file in the current working directory, related to a vulnerability in
the PySys_SetArgv function (CVE-2008-5983).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0315
http://www.openwall.com/lists/oss-security/2009/01/26/2

Comment 7 Jan Lieskovsky 2009-01-29 11:28:35 UTC
More explanation why this issue wasn't fixed in Python yet, can be
found here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4

and here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5

Looks like the Python fix won't come anytime soon, so please
fix the issue in the package, till we find the proper Python solution.

Ray Strode's test case to check the work of the fix can be found here:

https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8

Comment 8 Petr Šplíchal 2009-04-28 09:46:42 UTC
Created attachment 341543 [details]
reproducer: dummy xchat module

Comment 9 Petr Šplíchal 2009-04-28 09:47:23 UTC
Created attachment 341544 [details]
reproducer: trojan gtk module

Comment 10 Petr Šplíchal 2009-04-28 09:54:54 UTC
The issue is reproducible on RHEL-{4,5}.
On RHEL-3 it seems it's not vulnerable.
Steps to reproduce:

1. mkdir /tmp/trojan
2. download both reproducers to the directory above
3. cd /tmp/trojan
4. xchat
5. menu window -> plugins -> load -> dummy.py
6. i'm trojan will appear in xchat windows if vulnerable

Note: xchat is not vulnerable when the plugin is placed into ~/.xchat2 and loaded automatically upon xchat startup, the vulnerability appears only when the plugin is added manually.

Comment 11 Josh Bressers 2010-05-19 20:27:04 UTC
This issue does not affect xchat for Red Hat Enterprise Linux 3.

This issue does affect xchat for Red Hat Enterprise Linux 4 and 5.

Comment 12 Vincent Danen 2015-08-22 03:28:16 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.