257020 – (CVE-2008-5984) <app-office/dia-0.97.1 untrusted search path vulnerability in the Python plugin (CVE-2008-5984)

Bug 257020 (CVE-2008-5984) - <app-office/dia-0.97.1 untrusted search path vulnerability in the Python plugin (CVE-2008-5984)

Summary: <app-office/dia-0.97.1 untrusted search path vulnerability in the Python plug...

Status:	RESOLVED FIXED

Alias:	CVE-2008-5984

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	https://bugzilla.gnome.org/show_bug.c...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	CVE-2008-5983
Blocks:
	Show dependency tree

Reported:	2009-01-31 00:02 UTC by Stefan Behte (RETIRED)
Modified:	2011-01-02 19:24 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2009-01-31 00:02:50 UTC

CVE-2008-5984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5984):
  Untrusted search path vulnerability in the Python plugin in Dia
  0.96.1, and possibly other versions, allows local users to execute
  arbitrary code via a Trojan horse Python file in the current working
  directory, related to a vulnerability in the PySys_SetArgv function
  (CVE-2008-5983).

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-05-02 19:31:27 UTC

gnome-office, are you alive?

Comment 2 Gilles Dartiguelongue (RETIRED) gentoo-dev

2009-05-02 20:05:59 UTC

yes, what's up ? Is there a patch around ? Is upstream aware of this issue ?

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-05-03 10:53:47 UTC

reported upstream

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-05-25 19:17:26 UTC

upstream committed:
http://git.gnome.org/cgit/dia/commit/?id=f65009acefcde9b786fe9dab46a3ad044ce3a295

Will be released as 0.97.1 or 0.98.

Comment 5 Chris Mayo 2010-02-15 20:37:34 UTC

0.97.1 has been released

http://ftp.gnome.org/pub/gnome/sources/dia/0.97/dia-0.97.1.changes

 * 2009-05-23  Hans Breuer  <hans@breuer.org>  a236ca2

Bug #581177 - work around Python's untrusted search path vulnerability

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev

2010-02-16 11:47:01 UTC

Chris, thanks for your comment.

gnome-office, please provide a bumped ebuild.

Comment 7 Romain Perier (RETIRED) gentoo-dev

2010-02-16 20:45:38 UTC

+*dia-0.97.1 (16 Feb 2010)
+
+  16 Feb 2010; Romain Perier <mrpouet@gentoo.org> +dia-0.97.1.ebuild:
+  Version bump, Many bugsfixes, Fix a security issue (CVE-2008-5984). Per
+  bug #257020.
+

done :)

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2010-02-17 14:23:53 UTC

Thanks for the fast response.

Arches, please test and mark stable:
=app-office/dia-0.97.1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2010-02-17 19:12:17 UTC

Stable for HPPA.

Comment 10 Christian Faulhammer (RETIRED) gentoo-dev

2010-02-21 22:11:19 UTC

x86 stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2010-02-23 15:52:15 UTC

ppc64 done

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2010-02-25 19:52:50 UTC

alpha/ia64/sparc stable

Comment 13 Tobias Heinlein (RETIRED) gentoo-dev

2010-02-28 21:23:31 UTC

amd64 stable.

Comment 14 Joe Jezak (RETIRED) gentoo-dev

2010-03-09 19:57:27 UTC

Marked ppc stable.

Comment 15 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 04:58:34 UTC

GLSA Vote: no.

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2011-01-02 19:06:28 UTC

GLSA Vote: no.

Comment 17 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 19:24:17 UTC

Closing noglsa with two No votes.