Bug 481572 (CVE-2009-0318) - CVE-2009-0318 Gnumeric: untrusted python modules search path
Summary: CVE-2009-0318 Gnumeric: untrusted python modules search path
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2009-0318
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.nabble.com/Bug-484305%3A-b...
Whiteboard:
Depends On: CVE-2008-5983
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-01-26 14:18 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-16 10:52:58 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-01-26 14:18:04 UTC
Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse
Python file in the current working directory, related to an erroneous
setting of sys.path by the PySys_SetArgv function.

References (more details, test case):
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

Relevant part of the code in
gnumeric-N.V.R/plugins/python-loader/gnm-py-interpreter.c:

    103         PySys_SetArgv (G_N_ELEMENTS (plugin_argv) - 1, plugin_argv);
    104         py_initgnumeric (interpreter);

Proposed patch:
The Debian patch for similar dia's Python related issue,
available at:

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251

should be sufficient to resolve this issue.

Comment 1 Jan Lieskovsky 2009-01-26 14:19:52 UTC
This issue affects all versions of the Gnumeric package, as shipped
with Fedora release of 9, 10 and devel.

Please fix.

Comment 2 Jan Lieskovsky 2009-01-28 11:06:09 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0318 to
this vulnerability:

Untrusted search path vulnerability in the GObject Python interpreter
wrapper in Gnumeric allows local users to execute arbitrary code via a
Trojan horse Python file in the current working directory, related to
a vulnerability in the PySys_SetArgv function (CVE-2008-5983).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0318
http://www.openwall.com/lists/oss-security/2009/01/26/2

Comment 3 M Welinder 2009-01-29 00:30:10 UTC
Would it be too much to ask for this to be fixed in Python instead of
going through every single python user and try to fix it there?

Comment 4 Huzaifa S. Sidhpurwala 2009-01-29 10:48:16 UTC
The following patch should resolve the issue:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513418

However as per this page 

"Going by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251#26 this
patch may not be sufficient."

So i am not sure if this patch will resolve the issue

Comment 5 Huzaifa S. Sidhpurwala 2009-01-29 11:08:33 UTC
Opened an upstream bug at:
http://bugzilla.gnome.org/show_bug.cgi?id=569648

Comment 6 Jan Lieskovsky 2009-01-29 11:21:08 UTC
More explanation why this issue wasn't fixed in Python yet, can be
found here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4

and here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5

Looks like the Python fix won't come anytime soon, so please
fix the issue in the package, till we find the proper Python solution.

Comment 7 Jan Lieskovsky 2009-01-29 11:27:23 UTC
Ray Strode's test case to check the work of the fix can be found here:

https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8

Comment 8 M Welinder 2009-01-29 14:09:03 UTC
So it basically boils down to...

    We know it's python's fault, but they don't want to (or cannot figure
    out how to) fix it.  Therefore, let's put a black mark on all these
    applications and work around it there.

How do you know you got them all?  -- including all future users of python.

Upstream fixed:
http://svn.gnome.org/viewvc/gnumeric?view=revision&revision=17109

static char *plugin_argv[] = {(char *) "/dev/null/python/is/buggy/gnumeric", NULL};

(without any filtering)

Comment 9 Huzaifa S. Sidhpurwala 2009-01-30 09:43:39 UTC
I am going ahead with my patch,
As per upstream bugzilla reply.

"Huzaifa's patch is OK for Linux, so go ahead and use it."

The upstream has patched it for devel version afaik, which i dont want to package for fedora yet until it stablizes.

F-10 is already build, now for others.

Comment 10 Jan Lieskovsky 2009-01-30 10:00:14 UTC
Re comment c#8:

Re: How do you know you got them all?  -- including all future users of python.

1, Searching for the occurrence of 'magic Python string PySys_SetArgv(1, argv)'
   in the code of all the srpms, as shipped within Fedora 10 Everything repo

2, Hoping the people from other distros will do the same with the pkgs,
   they ship.

3, Hoping, the search for complete Python patch won't be neverending
   story and once this fix will get escalated into the Python upstream
   code also.

Comment 11 Nikolaus Filus 2009-02-03 19:08:44 UTC
I seem to be a recent victim of this bug as I wondered for several weeks now, why my totem and my rhythmbox players crashed at startup. I even filed bugs for both projects and tried to get help from the developers. After some debuggin it was sure, that python plugins were the culprit as both apps crashed while initializing the embedded interpreter. The reason was actually found now:

I'm a hobby python programmer and downloaded some recipes from ASPN and saved them in my $HOME - one of them was a custom optparse.py! Now most python libs will ask for optparse sooner or later and as $HOME seems to be the CWD for the whole Xorg session all my GUI apps crashed with a SIGSEV when opened from nautilus.

Please try to find a fix ASAP....

Comment 12 Fedora Update System 2009-02-05 02:15:08 UTC
gnumeric-1.8.2-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-02-05 02:15:43 UTC
gnumeric-1.8.2-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.