Subject: dia: Arbitrary code execution when importing a .svg file Package: dia Severity: grave Justification: user security hole
The script diasvg_import.py that comes with the current Debian stable version of Dia is vulnerable to an arbitrary code execution. I tried to contact with the Dia team too many times but without any look so, I think, there is no patch at the moment for the issues. Attached goes a working exploit to test the vulnerability. Regards, Joxean Koret -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.11-1-386 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
exploit.svg
Description: image/svg
signature.asc
Description: Esta parte del mensaje está firmada digitalmente
