CVE-2015-20107 (https://github.com/python/cpython/issues/68966): In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
Looks like a fix made it into mainline as: https://github.com/python/cpython/commit/b9509ba7a9c668b984dab876c7926fe1dc5aa0ba Which has made it into 3.9.13, 3.10.5, and 3.11.0.
(In reply to John Helmert III from comment #1) > Looks like a fix made it into mainline as: > > https://github.com/python/cpython/commit/ > b9509ba7a9c668b984dab876c7926fe1dc5aa0ba > > Which has made it into 3.9.13, 3.10.5, and 3.11.0. I don't see it in 3.9 or 3.10. FWICS the only thing that has happened for the old versions was adding a warning about the module being deprecated in Python 3.11. FWICS, the docs even don't warn about the actual problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36063b2db18e7ab9604a7d876d74494a7883f2b0 commit 36063b2db18e7ab9604a7d876d74494a7883f2b0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 05:57:54 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 06:02:31 +0000 dev-lang/python: Backport secfixes to 3.8.13_p5 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.8.13_p5.ebuild | 349 ++++++++++++++++++++++++++++++++ 2 files changed, 350 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ac85939cdee26b89aeb9e500d97d3c798a1f57f commit 2ac85939cdee26b89aeb9e500d97d3c798a1f57f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 05:51:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 06:02:31 +0000 dev-lang/python: Backport secfixes to 3.9.13_p2 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.9.13_p2.ebuild | 403 ++++++++++++++++++++++++++++++++ 2 files changed, 404 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5d0362c64a98b15d274ae5de7962fc5cb6974af commit f5d0362c64a98b15d274ae5de7962fc5cb6974af Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 05:46:26 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 06:02:30 +0000 dev-lang/python: Backport mailcap secfix to 3.10.6_p1 Bug: https://bugs.gentoo.org/838250 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-lang/python/Manifest | 1 + dev-lang/python/python-3.10.6_p1.ebuild | 408 ++++++++++++++++++++++++++++++++ 2 files changed, 409 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2022-08-10 09:28:47 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2022-08-10 09:28:47 +0000 dev-python/pypy3: Backport secfixes to 7.3.9_p5 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/pypy3/Manifest | 1 + dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++ 2 files changed, 211 insertions(+)
Python 2.7 is affected too.
cleanup done.
GLSA requested
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1 commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 09:12:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 09:31:45 +0000 [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/787260 Bug: https://bugs.gentoo.org/793833 Bug: https://bugs.gentoo.org/811165 Bug: https://bugs.gentoo.org/834533 Bug: https://bugs.gentoo.org/835443 Bug: https://bugs.gentoo.org/838250 Bug: https://bugs.gentoo.org/864747 Bug: https://bugs.gentoo.org/876815 Bug: https://bugs.gentoo.org/877851 Bug: https://bugs.gentoo.org/878385 Bug: https://bugs.gentoo.org/880629 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+)
