Bug 2270185 (CVE-2023-41334) - CVE-2023-41334 python-astropy: Remote code execution in TranformGraph().to_dot_graph function
Summary: CVE-2023-41334 python-astropy: Remote code execution in TranformGraph().to_do...
Keywords:
Status: NEW
Alias: CVE-2023-41334
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270186 2270187
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-03-18 20:12 UTC by Pedro Sampaio
Modified: 2024-03-18 20:13 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2024-03-18 20:12:58 UTC 
Astropy is a project for astronomy in Python that fosters interoperability between Python astronomy packages. Version 5.3.2 of the Astropy core package is vulnerable to remote code execution due to improper input validation in the `TranformGraph().to_dot_graph` function. A malicious user can provide a command or a script file as a value to the `savelayout` argument, which will be placed as the first value in a list of arguments passed to `subprocess.Popen`.  Although an error will be raised, the command or script will be executed successfully. Version 5.3.3 fixes this issue.

References:

https://github.com/astropy/astropy/blob/9b97d98802ee4f5350a62b681c35d8687ee81d91/astropy/coordinates/transformations.py#L539
https://github.com/astropy/astropy/commit/22057d37b1313f5f5a9b5783df0a091d978dccb5
https://github.com/astropy/astropy/security/advisories/GHSA-h2x6-5jx5-46hf
Comment 1 Pedro Sampaio 2024-03-18 20:13:14 UTC 
Created python-astropy tracking bugs for this issue:

Affects: epel-all [bug 2270186]
Affects: fedora-all [bug 2270187]
Note You need to log in before you can comment on or make changes to this bug.