Ubuntu
python2.4 package

Untrusted search path vulnerability in Python and multiple other programs

Bug #322196 reported by Till Ulen on 2009-01-28

262

This bug affects 1 person

	Status	Importance	Assigned to
Python	Fix Released	Unknown	python-roundup #5753
gedit	Fix Released	Medium	gnome-bugs #569214
csound (Ubuntu)	Fix Released	Low	Unassigned
dia (Ubuntu)	Fix Released	Low	Unassigned
eog (Ubuntu)	Fix Released	Low	Unassigned
epiphany (Ubuntu)	Invalid	Undecided	Unassigned
epiphany-browser (Ubuntu)	Fix Released	Low	Unassigned
gedit (Ubuntu)	Fix Released	Low	Ubuntu Desktop Bugs
gnumeric (Ubuntu)	Fix Released	Low	Unassigned
nautilus-python (Ubuntu)	Fix Released	Low	Unassigned
python2.3 (Ubuntu)	Won't Fix	Undecided	Unassigned
python2.4 (Ubuntu)	Invalid	Low	Unassigned
python2.5 (Ubuntu)	Invalid	Low	Unassigned
python2.6 (Ubuntu)	Fix Released	Low	Unassigned
vim (Ubuntu)	Fix Released	Low	Unassigned
xchat (Ubuntu)	Fix Released	Low	Unassigned

Bug Description

There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:

"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."

(Python 2.6 is vulnerable, too. See the comments.)

Affected packages are, at least:

CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric

I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.

Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2
http://www.openwall.com/lists/oss-security/2009/01/26/2

See original description

Related branches

lp:ubuntu/lucid/gedit

lp:~ari-tczew/ubuntu/hardy/xchat/CVE-2009-0315

Ready for review for merging into lp:ubuntu/hardy/xchat

Marc Deslauriers: Approve on 2010-06-07

lp:ubuntu/hardy-security/xchat

CVE References

Revision history for this message

Till Ulen (tillulen) wrote on 2009-01-28:

Adding CVE references: CVE-2008-5983, CVE-2008-5984, CVE-2008-5985, CVE-2008-5986, CVE-2008-5987,
CVE-2009-0314, CVE-2009-0315, CVE-2009-0316, CVE-2009-0317, CVE-2009-0318

Revision history for this message

Till Ulen (tillulen) wrote on 2009-01-30:

According to these links (provided by Jan Lieskovsky in the thread referenced above), Python 2.6 is affected as well.
http://www.openwall.com/lists/oss-security/2009/01/28/5
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

description:

updated

Jamie Strandboge (jdstrand) on 2009-01-30

Changed in csound:
status:	New → Confirmed
importance:	Undecided → Low
Changed in dia:
status:	New → Confirmed
importance:	Undecided → Low
Changed in eog:
status:	New → Confirmed
importance:	Undecided → Low
Changed in gedit:
status:	New → Confirmed
importance:	Undecided → Low
Changed in gnumeric:
status:	New → Confirmed
importance:	Undecided → Low
Changed in nautilus:
status:	New → Confirmed
importance:	Undecided → Low
Changed in python2.4:
status:	New → Confirmed
importance:	Undecided → Low
Changed in python2.5:
status:	New → Confirmed
importance:	Undecided → Low
Changed in xchat:
status:	New → Confirmed
importance:	Undecided → Low
Changed in vim:
status:	New → Confirmed
importance:	Undecided → Low

Jamie Strandboge (jdstrand) on 2009-01-30

Changed in epiphany:
status:	New → Invalid
Changed in epiphany-browser:
status:	New → Confirmed
Changed in python2.3:
status:	New → Confirmed

Sebastien Bacher (seb128) on 2009-02-12

Changed in gedit:
assignee:	nobody → desktop-bugs
status:	Confirmed → Triaged

Bug Watch Updater (bug-watch-updater) on 2009-03-10

Changed in gedit:
status:	Unknown → New

Matthias Klose (doko) on 2009-04-04

Changed in python2.6 (Ubuntu):
importance:	Undecided → Low
status:	New → Confirmed
Changed in python2.3 (Ubuntu):
status:	Confirmed → Won't Fix

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-04-08:

This bug was fixed in the package gedit - 2.26.0-0ubuntu3

---------------
gedit (2.26.0-0ubuntu3) jaunty; urgency=low

  * debian/patches/91_correct_path_use.patch:
    - CVE-2009-0314, don't use an untrusted python path when loading
      (lp: #322196)

-- Sebastien Bacher <email address hidden> Wed, 08 Apr 2009 13:19:13 +0200

Changed in gedit (Ubuntu):
status:	Triaged → Fix Released

Kees Cook (kees) on 2009-04-16

Changed in epiphany-browser (Ubuntu):
importance:	Undecided → Low

Revision history for this message

Andreas J Guelzow (aguelzow) wrote on 2010-03-05:

Note that a workaround to this python bug was committed to Gnumeric upstream a long time ago (2009-01-29) and so this vulnerability is not in gnumeric anymore since release 1.9.4.

Changed in gnumeric (Ubuntu):
status:	Confirmed → Fix Released

Artur Rona (ari-tczew) on 2010-05-30

description:

updated

Revision history for this message

Kees Cook (kees) wrote on 2010-06-01:

Shouldn't this be fixed in Python rather than all the tools using Python?

Revision history for this message

Jan Claeys (janc) wrote on 2010-06-03:

Upstream python has committed an alternative PySys_SetArgvEx that allows applications that embed python to set sys.argv without also modifying sys.path: http://bugs.python.org/issue5753#msg106256

It does require patches to all those applications though...

Bug Watch Updater (bug-watch-updater) on 2010-06-03

Changed in python:
status:	Unknown → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-06-07:

ACK on the hardy update. Updated package was uploaded to hardy-security. Thanks for the debdiff.

Changed in xchat (Ubuntu):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-06-08:

This bug was fixed in the package xchat - 2.8.4-0ubuntu7.1

---------------
xchat (2.8.4-0ubuntu7.1) hardy-security; urgency=low

  * SECURITY UPDATE (LP: #322196)
  * debian/patches/64_CVE-2009-0315.dpatch:
    - Fix untrusted search path vulnerability in the Python module
      in xchat allows local users to execute arbitrary code via
      a Trojan horse Python file in the current working directory
    - CVE-2009-0315
-- Artur Rona <email address hidden> Tue, 01 Jun 2010 21:27:28 +0200

Changed in xchat (Ubuntu):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-07-23

Changed in gedit:
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-09-15

Changed in gedit:
importance:	Unknown → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

This was fixed in 0.96.1-7.1.

Changed in dia (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#10

csound was fixed in 1:5.08.2~dfsg-1.1ubuntu2.

Changed in csound (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#11

eog was fixed in 2.24.1-0ubuntu1.

Changed in eog (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#12

epiphany-browser was fixed in 2.24.1-0ubuntu1.

Changed in epiphany-browser (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#13

nautilus-python was fixed in 0.6.1-1

Changed in nautilus-python (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#14

vim was fixed in 2:7.2.079-1ubuntu5

Changed in vim (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#15

python2.6 was fixed in 2.6.6-5ubuntu1.

Changed in python2.6 (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

dino99 (9d9) wrote on 2015-05-03:

#16

Support for this version has ended

Changed in python2.4 (Ubuntu):
status:	Confirmed → Invalid
Changed in python2.5 (Ubuntu):
status:	Confirmed → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

gnome-bugs #569214
[RESOLVED FIXED] Edit
redhat-bugs #482814
[CLOSED ERRATA] Edit
python-roundup #5753
[2:3] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntupython2.4 package

Untrusted search path vulnerability in Python and multiple other programs

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
python2.4 package