[Bug 16687] dia: Arbitrary code execution when importing a .svg file
bugzilla-daemon at bugzilla.ubuntu.com
bugzilla-daemon at bugzilla.ubuntu.com
Fri Sep 30 20:01:43 UTC 2005
Please do not reply to this email. You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=16687
Ubuntu | dia
------- Additional Comments From debzilla at ubuntu.com 2005-09-30 21:01 UTC -------
Message-ID: <433D90AB.6060402 at antcom.de>
Date: Fri, 30 Sep 2005 21:23:23 +0200
From: Roland Stigge <stigge at antcom.de>
To: Joxean Koret <joxeankoret at yahoo.es>, 330890 at bugs.debian.org,
control at bugs.debian.org, debian-security at lists.debian.org
Subject: Re: [Pkg-dia-team] Bug#330890: dia: Arbitrary code execution when
importing a .svg file
--------------070604020301060906020505
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
tag 330890 security
tag 330890 upstream
forwarded 330890 http://bugzilla.gnome.org/show_bug.cgi?id=317637
# woody:
notfound 330890 0.88.1-3
# sarge:
found 330890 0.94.0-7
# testing/unstable:
found 330890 0.94.0-14
# experimental
found 330890 0.94.0+CVS20050917-2
thanks
Hi,
thanks for reporting this issue.
Joxean Koret wrote:
> The script diasvg_import.py that comes with the current Debian stable
> version of Dia is vulnerable to an arbitrary code execution.
>
> I tried to contact with the Dia team too many times but without any look
> so, I think, there is no patch at the moment for the issues.
I couldn't find your comment on the upstream mailing list or in a GNOME
mozilla bug.
> Attached goes a working exploit to test the vulnerability.
Attached goes a fix that directly applies to the stable, testing and
unstable versions of dia in Debian (the respective code doesn't appear
in woody). Tested. Will coordinate with debian-security before uploading
to make fixes to stable and unstable consistent.
bye,
Roland
--------------070604020301060906020505
Content-Type: text/x-patch;
name="dia.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dia.patch"
Index: plug-ins/python/diasvg_import.py
===================================================================
--- plug-ins/python/diasvg_import.py (revision 7)
+++ plug-ins/python/diasvg_import.py (working copy)
@@ -54,6 +54,10 @@
return (int(m.group(1)) / 255.0, int(m.group(2)) / 255.0, int(m.group(2)) / 255.0)
# any more ugly color definitions not compatible with pango_color_parse() ?
return string.strip(s)
+
+def eval_secure(s):
+ return string.translate(s, string.maketrans("\"()", "___"))
+
class Object :
def __init__(self) :
self.props = {"x" : 0, "y" : 0, "stroke" : "none"}
@@ -65,7 +69,8 @@
sp2 = string.split(string.strip(s1), ":")
if len(sp2) == 2 :
try :
- eval("self." + string.replace(sp2[0], "-", "_") + "(\"" + string.strip(sp2[1]) + "\")")
+ eval("self." + eval_secure(string.replace(sp2[0], "-", "_")) +
+ "(\"" + eval_secure(string.strip(sp2[1])) + "\")")
except AttributeError :
self.props[sp2[0]] = string.strip(sp2[1])
def x(self, s) :
@@ -282,7 +287,7 @@
def CopyProps(self, dest) :
# to be used to inherit group props to childs _before_ they get their own
for p in self.props.keys() :
- sf = "dest." + string.replace(p, "-", "_") + "(\"" + str(self.props[p]) + "\")"
+ sf = "dest." + eval_secure(string.replace(p, "-", "_")) + "(\"" + eval_secure(str(self.props[p])) + "\")"
try : # accessor first
eval(sf)
except :
@@ -561,7 +566,7 @@
o = Group()
stack.append(o)
else :
- s = string.capitalize(name) + "()"
+ s = eval_secure(string.capitalize(name)) + "()"
try :
o = eval(s)
except :
@@ -575,7 +580,7 @@
ma = string.replace(a, "-", "_")
# e.g. xlink:href -> xlink__href
ma = string.replace(ma, ":", "__")
- s = "o." + ma + "(\"" + attrs[a] + "\")"
+ s = "o." + eval_secure(ma) + "(\"" + eval_secure(attrs[a]) + "\")"
try :
eval(s)
except AttributeError, msg :
--------------070604020301060906020505--
--
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the desktop-bugs
mailing list