Bug 1718204 (CVE-2019-12761) - CVE-2019-12761 pyxdg: code injection via crafted python code
Summary: CVE-2019-12761 pyxdg: code injection via crafted python code
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1718205 1725109
Blocks: 1718206
TreeView+ depends on / blocked
 
Reported: 2019-06-07 09:10 UTC by Dhananjay Arunesh
Modified: 2021-10-27 03:28 UTC (History)
3 users (show)

Fixed In Version: pyxdg-0.26
Clone Of:
Environment:
Last Closed: 2021-10-27 03:28:42 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-06-07 09:10:47 UTC 
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Reference:
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562

Upstream commit:
https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
Comment 1 Dhananjay Arunesh 2019-06-07 09:11:09 UTC 
Created pyxdg tracking bugs for this issue:

Affects: epel-7 [bug 1718205]
Comment 4 Marco Benatto 2019-06-28 13:09:55 UTC 
External References:

https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
Comment 6 Marco Benatto 2019-06-28 14:15:25 UTC 
Statement:

This issue have a Moderate security impact and affects pyxdg version as shipped with Red Hat Enterprise Linux 6 and 8. For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 7 Marco Benatto 2019-06-28 14:28:16 UTC 
Upstream commit for this issue:

https://gitlab.freedesktop.org/xdg/pyxdg/commit/aa4ce1bbc59def6975c9dd1598aafb3ef3fea681
Comment 8 Marco Benatto 2019-06-28 14:33:36 UTC 
pyxdg package up to version 0.25 allows arbitraty code execution via crafted XDG file. The issue happens due to lack of proper input validation when parsing the menu file. When the crafted menu file is parsed by pyxdg library, the injected code end up executed due to a bad sanitized eval() call.
Comment 9 Tom "spot" Callaway 2019-06-28 15:37:22 UTC 
Marco, that commit in Comment 7 seems like it's doing a lot more than just fixing the CVE. The change in https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on point for a 0.25 fix.

As a reminder, Fedora is not vulnerable here because all stable branches are on 0.26. EPEL-7 is vulnerable.
Comment 10 Marco Benatto 2019-06-28 17:16:10 UTC 
(In reply to Tom "spot" Callaway from comment #9)
> Marco, that commit in Comment 7 seems like it's doing a lot more than just
> fixing the CVE. The change in
> https://gitlab.freedesktop.org/xdg/pyxdg/merge_requests/3 seems much more on
> point for a 0.25 fix.
> 
> As a reminder, Fedora is not vulnerable here because all stable branches are
> on 0.26. EPEL-7 is vulnerable.

Hi Tom,

thanks for pointing this out. I do agree, I think the merge request is still pending
by upstream at this point. I defer to you guys what would be the best approach fixing this.

Thanks for the follow up.
Note You need to log in before you can comment on or make changes to this bug.