916835 – (CVE-2013-4245) VUL-1: CVE-2013-4245: orca: Arbitrary code execution due to insecure CWD Python module load

Bug 916835 (CVE-2013-4245) - VUL-1: CVE-2013-4245: orca: Arbitrary code execution due to insecure CWD Python module load

Summary: VUL-1: CVE-2013-4245: orca: Arbitrary code execution due to insecure CWD Pyth...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4245

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/113630/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-02-09 09:38 UTC by Johannes Segitz
Modified:	2016-04-27 18:22 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2015-02-09 09:38:03 UTC

rh#995060

A security flaw was found in the way Orca, a screen reader that provides access to the graphical desktop via user-customizable combinations of speech and/or braille, used to load required Python language modules (existing Python module in current working directory with name matching some of the modules Orca required for its run was previously loaded and subsequently used). A local attacker, with ability to write into directory, the victim user was running Orca from, could use this flaw to execute arbitrary code with the privileges of the user running Orca.

Had a quick look at the changelog (3.10.3) but couldn't find anything that resembles this.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=995060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4245

Comment 1 Michael Gorse 2015-09-29 18:54:03 UTC

I ran orca (both 3.10.3 and 2.28.3) under strace to look for python modules being opened without an absolute path. I didn't find any cases of that happening for 3.10.3, but I did find some for 2.28.3. So I suspect that this CVE only applies to older versions of orca.

Orca 2.28.3 inadvertently sets PYTHONPATH to include the current directory if no value was already set (the normal case) and also adds the current working directory to sys.path, although this doesn't appear to be necessary, aside from orca-customizations.py otherwise needing to be located in ~/.orca rather than in the user's home directory.

sr#70120 for SLE-11-SP1.

Comment 3 Michael Gorse 2015-10-01 19:35:13 UTC

Not sure if we need to do anything else, but assigning to security-team.

Comment 4 Swamp Workflow Management 2015-12-02 16:12:54 UTC

SUSE-SU-2015:2172-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 916835
CVE References: CVE-2013-4245
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    orca-2.28.3-0.5.10
SUSE Linux Enterprise Server 11-SP4 (src):    orca-2.28.3-0.5.10
SUSE Linux Enterprise Server 11-SP3 (src):    orca-2.28.3-0.5.10
SUSE Linux Enterprise Desktop 11-SP4 (src):    orca-2.28.3-0.5.10
SUSE Linux Enterprise Desktop 11-SP3 (src):    orca-2.28.3-0.5.10

Comment 5 Marcus Meissner 2016-03-23 08:19:04 UTC

released