Support / Security / Advisories / Corporate Server 3.0 / MDVSA-2009:046

Package name: dia
Date: 2009-02-20
Advisory ID: MDVSA-2009:046
Affected versions: CS3.0 i586 , CS3.0 x86_64

Problem description

Python has a variable called sys.path that contains all paths where
Python loads modules by using import scripting procedure. A wrong
handling of that variable enables local attackers to execute arbitrary
code via Python scripting in the current dia working directory
(CVE-2008-5984).

This update provides fix for that vulnerability.

Updated packages

CS3.0 i586

 46638030e4a286f1e074cc2229c552cb  corporate/3.0/i586/dia-0.92.2-2.4.C30mdk.i586.rpm 
 2f1847fc986675bf19c29d949ce24bfe  corporate/3.0/SRPMS/dia-0.92.2-2.4.C30mdk.src.rpm

CS3.0 x86_64

 1137d4acde3d7f806c1f22bc0990db1c  corporate/3.0/x86_64/dia-0.92.2-2.4.C30mdk.x86_64.rpm 
 2f1847fc986675bf19c29d949ce24bfe  corporate/3.0/SRPMS/dia-0.92.2-2.4.C30mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5984