Vulnerabilities > CVE-2009-0318 - Remote Command Execution vulnerability in Gnumeric 'PySys_SetArgv'
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-043.NASL description Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Gnumeric working directory (CVE-2009-0318). This update provides fix for that vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 37244 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37244 title Mandriva Linux Security Advisory : gnumeric (MDVSA-2009:043) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:043. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37244); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id("CVE-2009-0318"); script_bugtraq_id(33438); script_xref(name:"MDVSA", value:"2009:043"); script_name(english:"Mandriva Linux Security Advisory : gnumeric (MDVSA-2009:043)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Gnumeric working directory (CVE-2009-0318). This update provides fix for that vulnerability." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gnumeric"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64spreadsheet-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64spreadsheet1.8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64spreadsheet1.9.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libspreadsheet-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libspreadsheet1.8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libspreadsheet1.9.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.1", reference:"gnumeric-1.8.2-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64spreadsheet-devel-1.8.2-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64spreadsheet1.8.2-1.8.2-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libspreadsheet-devel-1.8.2-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libspreadsheet1.8.2-1.8.2-1.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"gnumeric-1.9.2-1.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64spreadsheet-devel-1.9.2-1.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64spreadsheet1.9.2-1.9.2-1.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libspreadsheet-devel-1.9.2-1.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libspreadsheet1.9.2-1.9.2-1.1mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2009-1295.NASL description - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-4 - Resolves CVE-2009-5983 - Version Bump Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35596 published 2009-02-05 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35596 title Fedora 9 : gnumeric-1.8.2-4.fc9 (2009-1295) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-1295. # include("compat.inc"); if (description) { script_id(35596); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2008-5983", "CVE-2009-0318"); script_xref(name:"FEDORA", value:"2009-1295"); script_name(english:"Fedora 9 : gnumeric-1.8.2-4.fc9 (2009-1295)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-4 - Resolves CVE-2009-5983 - Version Bump Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=481572" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-February/019851.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d95451a" ); script_set_attribute( attribute:"solution", value:"Update the affected gnumeric package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gnumeric"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"gnumeric-1.8.2-4.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnumeric"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200904-03.NASL description The remote host is affected by the vulnerability described in GLSA-200904-03 (Gnumeric: Untrusted search path) James Vega reported an untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric. Impact : A local attacker could entice a user to run Gnumeric from a directory containing a specially crafted python module, resulting in the execution of arbitrary code with the privileges of the user running Gnumeric. Workaround : Do not run last seen 2020-06-01 modified 2020-06-02 plugin id 36086 published 2009-04-06 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36086 title GLSA-200904-03 : Gnumeric: Untrusted search path code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200904-03. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(36086); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2009-0318"); script_bugtraq_id(33438); script_xref(name:"GLSA", value:"200904-03"); script_name(english:"GLSA-200904-03 : Gnumeric: Untrusted search path"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200904-03 (Gnumeric: Untrusted search path) James Vega reported an untrusted search path vulnerability in the GObject Python interpreter wrapper in Gnumeric. Impact : A local attacker could entice a user to run Gnumeric from a directory containing a specially crafted python module, resulting in the execution of arbitrary code with the privileges of the user running Gnumeric. Workaround : Do not run 'gnumeric' from untrusted working directories." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200904-03" ); script_set_attribute( attribute:"solution", value: "All Gnumeric users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-office/gnumeric-1.8.4-r1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:gnumeric"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-office/gnumeric", unaffected:make_list("ge 1.8.4-r1"), vulnerable:make_list("lt 1.8.4-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Gnumeric"); }NASL family Fedora Local Security Checks NASL id FEDORA_2009-1289.NASL description - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-6 - Resolves CVE-2008-5983 - Version bump to match the rawhide version Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37680 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37680 title Fedora 10 : gnumeric-1.8.2-6.fc10 (2009-1289) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-1289. # include("compat.inc"); if (description) { script_id(37680); script_version ("1.11"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-0318"); script_xref(name:"FEDORA", value:"2009-1289"); script_name(english:"Fedora 10 : gnumeric-1.8.2-6.fc10 (2009-1289)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-6 - Resolves CVE-2008-5983 - Version bump to match the rawhide version Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=481572" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-February/019752.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?38a32cd2" ); script_set_attribute( attribute:"solution", value:"Update the affected gnumeric package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gnumeric"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"gnumeric-1.8.2-6.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnumeric"); }
References
- http://bugzilla.gnome.org/show_bug.cgi?id=569648
- http://secunia.com/advisories/33707
- http://secunia.com/advisories/33823
- http://security.gentoo.org/glsa/glsa-200904-03.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:043
- http://www.openwall.com/lists/oss-security/2009/01/26/2
- http://www.securityfocus.com/bid/33438
- https://bugzilla.redhat.com/show_bug.cgi?id=481572
- https://www.redhat.com/archives/fedora-package-announce/2009-February/msg00211.html