A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
Created pyxdg tracking bugs for this issue:
Affects: epel-7 [bug 1718205]
This issue have a Moderate security impact and affects pyxdg version as shipped with Red Hat Enterprise Linux 6 and 8. For additional information, refer to the Issue Severity Classification:
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Upstream commit for this issue:
pyxdg package up to version 0.25 allows arbitraty code execution via crafted XDG file. The issue happens due to lack of proper input validation when parsing the menu file. When the crafted menu file is parsed by pyxdg library, the injected code end up executed due to a bad sanitized eval() call.
Marco, that commit in Comment 7 seems like it's doing a lot more than just fixing the CVE. The change in https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on point for a 0.25 fix.
As a reminder, Fedora is not vulnerable here because all stable branches are on 0.26. EPEL-7 is vulnerable.
(In reply to Tom "spot" Callaway from comment #9)
> Marco, that commit in Comment 7 seems like it's doing a lot more than just
> fixing the CVE. The change in
> https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on
> point for a 0.25 fix.
> As a reminder, Fedora is not vulnerable here because all stable branches are
> on 0.26. EPEL-7 is vulnerable.
thanks for pointing this out. I do agree, I think the merge request is still pending
by upstream at this point. I defer to you guys what would be the best approach fixing this.
Thanks for the follow up.