Re: [Pkg-dia-team] Bug#330890: dia: Arbitrary code execution when importing a .svg file

To: Joxean Koret <joxeankoret@yahoo.es>, 330890@bugs.debian.org, control@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: [Pkg-dia-team] Bug#330890: dia: Arbitrary code execution when importing a .svg file
From: Roland Stigge <stigge@antcom.de>
Date: Fri, 30 Sep 2005 21:23:23 +0200
Message-id: <[🔎] 433D90AB.6060402@antcom.de>
In-reply-to: <1128076797.29351.3.camel@localhost.localdomain>
References: <1128076797.29351.3.camel@localhost.localdomain>

tag 330890 security
tag 330890 upstream
forwarded 330890 http://bugzilla.gnome.org/show_bug.cgi?id=317637
# woody:
notfound 330890 0.88.1-3
# sarge:
found 330890 0.94.0-7
# testing/unstable:
found 330890 0.94.0-14
# experimental
found 330890 0.94.0+CVS20050917-2
thanks

Hi,

thanks for reporting this issue.

Joxean Koret wrote:
> The script diasvg_import.py that comes with the current Debian stable
> version of Dia is vulnerable to an arbitrary code execution.
> 
> I tried to contact with the Dia team too many times but without any look
> so, I think, there is no patch at the moment for the issues.

I couldn't find your comment on the upstream mailing list or in a GNOME
mozilla bug.

> Attached goes a working exploit to test the vulnerability.

Attached goes a fix that directly applies to the stable, testing and
unstable versions of dia in Debian (the respective code doesn't appear
in woody). Tested. Will coordinate with debian-security before uploading
to make fixes to stable and unstable consistent.

bye,
  Roland

Index: plug-ins/python/diasvg_import.py
===================================================================
--- plug-ins/python/diasvg_import.py	(revision 7)
+++ plug-ins/python/diasvg_import.py	(working copy)
@@ -54,6 +54,10 @@
 		return (int(m.group(1)) / 255.0, int(m.group(2)) / 255.0, int(m.group(2)) / 255.0)
 	# any more ugly color definitions not compatible with pango_color_parse() ?
 	return string.strip(s)
+
+def eval_secure(s):
+	return string.translate(s, string.maketrans("\"()", "___"))
+
 class Object :
 	def __init__(self) :
 		self.props = {"x" : 0, "y" : 0, "stroke" : "none"}
@@ -65,7 +69,8 @@
 			sp2 = string.split(string.strip(s1), ":")
 			if len(sp2) == 2 :
 				try :
-					eval("self." + string.replace(sp2[0], "-", "_") + "(\"" + string.strip(sp2[1]) + "\")")
+					eval("self." + eval_secure(string.replace(sp2[0], "-", "_")) +
+						"(\"" + eval_secure(string.strip(sp2[1])) + "\")")
 				except AttributeError :
 					self.props[sp2[0]] = string.strip(sp2[1])
 	def x(self, s) :
@@ -282,7 +287,7 @@
 	def CopyProps(self, dest) :
 		# to be used to inherit group props to childs _before_ they get their own
 		for p in self.props.keys() :
-			sf = "dest." + string.replace(p, "-", "_") + "(\"" + str(self.props[p]) + "\")"
+			sf = "dest." + eval_secure(string.replace(p, "-", "_")) + "(\"" + eval_secure(str(self.props[p])) + "\")"
 			try : # accessor first
 				eval(sf)
 			except :
@@ -561,7 +566,7 @@
 				o = Group()
 				stack.append(o)
 			else :
-				s = string.capitalize(name) + "()"
+				s = eval_secure(string.capitalize(name)) + "()"
 				try :
 					o = eval(s)
 				except :
@@ -575,7 +580,7 @@
 				ma = string.replace(a, "-", "_")
 				# e.g. xlink:href -> xlink__href
 				ma = string.replace(ma, ":", "__")
-				s = "o." +  ma + "(\"" + attrs[a] + "\")"
+				s = "o." +  eval_secure(ma) + "(\"" + eval_secure(attrs[a]) + "\")"
 				try :
 					eval(s)
 				except AttributeError, msg :

Reply to:

Prev by Date: JCE Code Signing Certificate
Previous by thread: JCE Code Signing Certificate
Index(es):
- Date
- Thread