Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. References (more details, test case): http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Relevant part of the code in gnumeric-N.V.R/plugins/python-loader/gnm-py-interpreter.c: 103 PySys_SetArgv (G_N_ELEMENTS (plugin_argv) - 1, plugin_argv); 104 py_initgnumeric (interpreter); Proposed patch: The Debian patch for similar dia's Python related issue, available at: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251 should be sufficient to resolve this issue.
This issue affects all versions of the Gnumeric package, as shipped with Fedora release of 9, 10 and devel. Please fix.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0318 to this vulnerability: Untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0318 http://www.openwall.com/lists/oss-security/2009/01/26/2
Would it be too much to ask for this to be fixed in Python instead of going through every single python user and try to fix it there?
The following patch should resolve the issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513418 However as per this page "Going by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251#26 this patch may not be sufficient." So i am not sure if this patch will resolve the issue
Opened an upstream bug at: http://bugzilla.gnome.org/show_bug.cgi?id=569648
More explanation why this issue wasn't fixed in Python yet, can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5 Looks like the Python fix won't come anytime soon, so please fix the issue in the package, till we find the proper Python solution.
Ray Strode's test case to check the work of the fix can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8
So it basically boils down to... We know it's python's fault, but they don't want to (or cannot figure out how to) fix it. Therefore, let's put a black mark on all these applications and work around it there. How do you know you got them all? -- including all future users of python. Upstream fixed: http://svn.gnome.org/viewvc/gnumeric?view=revision&revision=17109 static char *plugin_argv[] = {(char *) "/dev/null/python/is/buggy/gnumeric", NULL}; (without any filtering)
I am going ahead with my patch, As per upstream bugzilla reply. "Huzaifa's patch is OK for Linux, so go ahead and use it." The upstream has patched it for devel version afaik, which i dont want to package for fedora yet until it stablizes. F-10 is already build, now for others.
Re comment c#8: Re: How do you know you got them all? -- including all future users of python. 1, Searching for the occurrence of 'magic Python string PySys_SetArgv(1, argv)' in the code of all the srpms, as shipped within Fedora 10 Everything repo 2, Hoping the people from other distros will do the same with the pkgs, they ship. 3, Hoping, the search for complete Python patch won't be neverending story and once this fix will get escalated into the Python upstream code also.
I seem to be a recent victim of this bug as I wondered for several weeks now, why my totem and my rhythmbox players crashed at startup. I even filed bugs for both projects and tried to get help from the developers. After some debuggin it was sure, that python plugins were the culprit as both apps crashed while initializing the embedded interpreter. The reason was actually found now: I'm a hobby python programmer and downloaded some recipes from ASPN and saved them in my $HOME - one of them was a custom optparse.py! Now most python libs will ask for optparse sooner or later and as $HOME seems to be the CWD for the whole Xorg session all my GUI apps crashed with a SIGSEV when opened from nautilus. Please try to find a fix ASAP....
gnumeric-1.8.2-6.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
gnumeric-1.8.2-4.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.