107916 – app-office/dia: arbitary python code execution through SVG files

Bug 107916 - app-office/dia: arbitary python code execution through SVG files

Summary: app-office/dia: arbitary python code execution through SVG files

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://bugzilla.gnome.org/show_bug.cg...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-10-02 11:04 UTC by Thierry Carrez (RETIRED)
Modified:	2005-10-06 08:06 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
dia.patch (dia.patch,1.89 KB, patch) 2005-10-02 11:05 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-10-02 11:04:38 UTC

Joxean Koret discovered that the SVG import plugin in dia, a
 vector-oriented diagram editor, does not properly sanitise data read
 from an SVG file and is hence vulnerable to execute arbitrary Python
 code.

This is CAN-2005-2966.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-10-02 11:05:22 UTC

Created attachment 69738 [details, diff]
dia.patch

Patch from Steve Kemp / Debian Security

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-10-03 00:32:35 UTC

Gnome herd, please bump with patch and/or advise.

Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev

2005-10-03 09:10:32 UTC

Patched and bumped.  rev is dia-0.94-r3, target stable flags are:
alpha amd64 ia64 ppc ppc64 sparc x86

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-10-03 09:14:09 UTC

Thx Daniel
Arches, please test and mark stable...

Comment 5 Daniel Gryniewicz (RETIRED) gentoo-dev

2005-10-03 09:42:33 UTC

amd64 done

Comment 6 Marcin Kryczek (RETIRED) gentoo-dev

2005-10-03 10:22:14 UTC

marked stable on x86

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2005-10-03 10:55:40 UTC

sparc stable.

Comment 8 Fernando J. Pereda (RETIRED) gentoo-dev

2005-10-03 11:37:34 UTC

alpha stable

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2005-10-03 12:35:49 UTC

stable on ppc64

Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-10-04 11:45:47 UTC

Stable on ppc.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-06 08:06:19 UTC

GLSA 200510-06