Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257020 (CVE-2008-5984) - <app-office/dia-0.97.1 untrusted search path vulnerability in the Python plugin (CVE-2008-5984)
Summary: <app-office/dia-0.97.1 untrusted search path vulnerability in the Python plug...
Status: RESOLVED FIXED
Alias: CVE-2008-5984
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2008-5983
Blocks:
  Show dependency tree
 
Reported: 2009-01-31 00:02 UTC by Stefan Behte (RETIRED)
Modified: 2011-01-02 19:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-01-31 00:02:50 UTC 
CVE-2008-5984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5984):
  Untrusted search path vulnerability in the Python plugin in Dia
  0.96.1, and possibly other versions, allows local users to execute
  arbitrary code via a Trojan horse Python file in the current working
  directory, related to a vulnerability in the PySys_SetArgv function
  (CVE-2008-5983).
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-05-02 19:31:27 UTC 
gnome-office, are you alive?
Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-05-02 20:05:59 UTC 
yes, what's up ? Is there a patch around ? Is upstream aware of this issue ?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-05-03 10:53:47 UTC 
reported upstream
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-05-25 19:17:26 UTC 
upstream committed:
http://git.gnome.org/cgit/dia/commit/?id=f65009acefcde9b786fe9dab46a3ad044ce3a295

Will be released as 0.97.1 or 0.98.
Comment 5 Chris Mayo 2010-02-15 20:37:34 UTC 
0.97.1 has been released

http://ftp.gnome.org/pub/gnome/sources/dia/0.97/dia-0.97.1.changes

 * 2009-05-23  Hans Breuer  <hans@breuer.org>  a236ca2

Bug #581177 - work around Python's untrusted search path vulnerability
Comment 6 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-16 11:47:01 UTC 
Chris, thanks for your comment.

gnome-office, please provide a bumped ebuild.
Comment 7 Romain Perier (RETIRED) gentoo-dev 2010-02-16 20:45:38 UTC 
+*dia-0.97.1 (16 Feb 2010)
+
+  16 Feb 2010; Romain Perier <mrpouet@gentoo.org> +dia-0.97.1.ebuild:
+  Version bump, Many bugsfixes, Fix a security issue (CVE-2008-5984). Per
+  bug #257020.
+

done :)
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-17 14:23:53 UTC 
Thanks for the fast response.

Arches, please test and mark stable:
=app-office/dia-0.97.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-17 19:12:17 UTC 
Stable for HPPA.
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-21 22:11:19 UTC 
x86 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-02-23 15:52:15 UTC 
ppc64 done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-02-25 19:52:50 UTC 
alpha/ia64/sparc stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-28 21:23:31 UTC 
amd64 stable.
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 19:57:27 UTC 
Marked ppc stable.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:58:34 UTC 
GLSA Vote: no.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2011-01-02 19:06:28 UTC 
GLSA Vote: no.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 19:24:17 UTC 
Closing noglsa with two No votes.