Ubuntu

Untrusted search path vulnerability in Python and multiple other programs

Reported by Alexander Konovalenko on 2009-01-28
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python
Fix Released
Unknown
gedit
Fix Released
Medium
csound (Ubuntu)
Low
Unassigned
dia (Ubuntu)
Low
Unassigned
eog (Ubuntu)
Low
Unassigned
epiphany (Ubuntu)
Undecided
Unassigned
epiphany-browser (Ubuntu)
Low
Unassigned
gedit (Ubuntu)
Low
Ubuntu Desktop Bugs
gnumeric (Ubuntu)
Low
Unassigned
nautilus-python (Ubuntu)
Low
Unassigned
python2.3 (Ubuntu)
Undecided
Unassigned
python2.4 (Ubuntu)
Low
Unassigned
python2.5 (Ubuntu)
Low
Unassigned
python2.6 (Ubuntu)
Low
Unassigned
vim (Ubuntu)
Low
Unassigned
xchat (Ubuntu)
Low
Unassigned

Bug Description

There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE:

"Untrusted search path vulnerability in the PySys_SetArgv API function
in Python before 2.6 prepends an empty string to sys.path when the
argv[0] argument does not contain a path separator, which might allow
local users to execute arbitrary code via a Trojan horse Python file
in the current working directory."

(Python 2.6 is vulnerable, too. See the comments.)

Affected packages are, at least:

CVE-2008-4863 - Blender (already fixed in Ubuntu, I think)
CVE-2008-5983 - Python
CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog
CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric

I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though.

Source and more information:
oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2
http://www.openwall.com/lists/oss-security/2009/01/26/2

Adding CVE references: CVE-2008-5983, CVE-2008-5984, CVE-2008-5985, CVE-2008-5986, CVE-2008-5987,
CVE-2009-0314, CVE-2009-0315, CVE-2009-0316, CVE-2009-0317, CVE-2009-0318

According to these links (provided by Jan Lieskovsky in the thread referenced above), Python 2.6 is affected as well.
http://www.openwall.com/lists/oss-security/2009/01/28/5
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

description: updated
Changed in csound:
status: New → Confirmed
importance: Undecided → Low
Changed in dia:
status: New → Confirmed
importance: Undecided → Low
Changed in eog:
status: New → Confirmed
importance: Undecided → Low
Changed in gedit:
status: New → Confirmed
importance: Undecided → Low
Changed in gnumeric:
status: New → Confirmed
importance: Undecided → Low
Changed in nautilus:
status: New → Confirmed
importance: Undecided → Low
Changed in python2.4:
status: New → Confirmed
importance: Undecided → Low
Changed in python2.5:
status: New → Confirmed
importance: Undecided → Low
Changed in xchat:
status: New → Confirmed
importance: Undecided → Low
Changed in vim:
status: New → Confirmed
importance: Undecided → Low
Changed in epiphany:
status: New → Invalid
Changed in epiphany-browser:
status: New → Confirmed
Changed in python2.3:
status: New → Confirmed
Changed in gedit:
assignee: nobody → desktop-bugs
status: Confirmed → Triaged
Changed in gedit:
status: Unknown → New
Matthias Klose (doko) on 2009-04-04
Changed in python2.6 (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Changed in python2.3 (Ubuntu):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gedit - 2.26.0-0ubuntu3

---------------
gedit (2.26.0-0ubuntu3) jaunty; urgency=low

  * debian/patches/91_correct_path_use.patch:
    - CVE-2009-0314, don't use an untrusted python path when loading
      (lp: #322196)

 -- Sebastien Bacher <email address hidden> Wed, 08 Apr 2009 13:19:13 +0200

Changed in gedit (Ubuntu):
status: Triaged → Fix Released
Kees Cook (kees) on 2009-04-16
Changed in epiphany-browser (Ubuntu):
importance: Undecided → Low
Andreas J Guelzow (aguelzow) wrote :

Note that a workaround to this python bug was committed to Gnumeric upstream a long time ago (2009-01-29) and so this vulnerability is not in gnumeric anymore since release 1.9.4.

Changed in gnumeric (Ubuntu):
status: Confirmed → Fix Released
Artur Rona (ari-tczew) on 2010-05-30
description: updated
Kees Cook (kees) wrote :

Shouldn't this be fixed in Python rather than all the tools using Python?

Jan Claeys (janc) wrote :

Upstream python has committed an alternative PySys_SetArgvEx that allows applications that embed python to set sys.argv without also modifying sys.path: http://bugs.python.org/issue5753#msg106256

It does require patches to all those applications though...

Changed in python:
status: Unknown → Fix Released
Marc Deslauriers (mdeslaur) wrote :

ACK on the hardy update. Updated package was uploaded to hardy-security. Thanks for the debdiff.

Changed in xchat (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat - 2.8.4-0ubuntu7.1

---------------
xchat (2.8.4-0ubuntu7.1) hardy-security; urgency=low

  * SECURITY UPDATE (LP: #322196)
  * debian/patches/64_CVE-2009-0315.dpatch:
    - Fix untrusted search path vulnerability in the Python module
      in xchat allows local users to execute arbitrary code via
      a Trojan horse Python file in the current working directory
    - CVE-2009-0315
 -- Artur Rona <email address hidden> Tue, 01 Jun 2010 21:27:28 +0200

Changed in xchat (Ubuntu):
status: Fix Committed → Fix Released
Changed in gedit:
status: New → Fix Released
Changed in gedit:
importance: Unknown → Medium
Jamie Strandboge (jdstrand) wrote :

This was fixed in 0.96.1-7.1.

Changed in dia (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

csound was fixed in 1:5.08.2~dfsg-1.1ubuntu2.

Changed in csound (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

eog was fixed in 2.24.1-0ubuntu1.

Changed in eog (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

epiphany-browser was fixed in 2.24.1-0ubuntu1.

Changed in epiphany-browser (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

nautilus-python was fixed in 0.6.1-1

Changed in nautilus-python (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

vim was fixed in 2:7.2.079-1ubuntu5

Changed in vim (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

python2.6 was fixed in 2.6.6-5ubuntu1.

Changed in python2.6 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.