Bug 838250 (CVE-2015-20107)

Summary:	<dev-lang/python-{3.8.13_p5,3.9.13_p2,3.10.6_p1} <dev-python/pypy3-7.3.9_p5: mailcap.findmatch on untrusted filenames leads to command injection
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mgorny, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.python.org/issue24778
Whiteboard:	A2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	864741, 864743, 864745, 864781
Bug Blocks:

Description John Helmert III archtester

2022-04-13 19:22:55 UTC

CVE-2015-20107 (https://github.com/python/cpython/issues/68966):

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Comment 1 John Helmert III archtester

2022-08-09 21:57:25 UTC

Looks like a fix made it into mainline as:

https://github.com/python/cpython/commit/b9509ba7a9c668b984dab876c7926fe1dc5aa0ba

Which has made it into 3.9.13, 3.10.5, and 3.11.0.

Comment 2 Michał Górny archtester

2022-08-10 05:43:06 UTC

(In reply to John Helmert III from comment #1)
> Looks like a fix made it into mainline as:
> 
> https://github.com/python/cpython/commit/
> b9509ba7a9c668b984dab876c7926fe1dc5aa0ba
> 
> Which has made it into 3.9.13, 3.10.5, and 3.11.0.

I don't see it in 3.9 or 3.10.  FWICS the only thing that has happened for the old versions was adding a warning about the module being deprecated in Python 3.11.  FWICS, the docs even don't warn about the actual problem.

Comment 3 Larry the Git Cow gentoo-dev

2022-08-10 06:02:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36063b2db18e7ab9604a7d876d74494a7883f2b0

commit 36063b2db18e7ab9604a7d876d74494a7883f2b0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:57:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.8.13_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p5.ebuild | 349 ++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ac85939cdee26b89aeb9e500d97d3c798a1f57f

commit 2ac85939cdee26b89aeb9e500d97d3c798a1f57f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:51:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.9.13_p2
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p2.ebuild | 403 ++++++++++++++++++++++++++++++++
 2 files changed, 404 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5d0362c64a98b15d274ae5de7962fc5cb6974af

commit f5d0362c64a98b15d274ae5de7962fc5cb6974af
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:46:26 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:30 +0000

    dev-lang/python: Backport mailcap secfix to 3.10.6_p1
    
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.10.6_p1.ebuild | 408 ++++++++++++++++++++++++++++++++
 2 files changed, 409 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2022-08-10 09:31:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc

commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 09:28:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 09:28:47 +0000

    dev-python/pypy3: Backport secfixes to 7.3.9_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pypy3/Manifest              |   1 +
 dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)

Comment 5 Michał Górny archtester

2022-08-10 15:59:35 UTC

Python 2.7 is affected too.

Comment 6 Michał Górny archtester

2022-08-25 07:43:02 UTC

cleanup done.

Comment 7 John Helmert III archtester

2022-11-19 01:15:36 UTC

GLSA requested

Comment 8 Larry the Git Cow gentoo-dev

2023-05-03 09:31:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=721dfacf17914fe5f7bfa3d0b401379d6318f7b1

commit 721dfacf17914fe5f7bfa3d0b401379d6318f7b1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:12:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:31:45 +0000

    [ GLSA 202305-02 ] Python, PyPy3: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/787260
    Bug: https://bugs.gentoo.org/793833
    Bug: https://bugs.gentoo.org/811165
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/835443
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Bug: https://bugs.gentoo.org/876815
    Bug: https://bugs.gentoo.org/877851
    Bug: https://bugs.gentoo.org/878385
    Bug: https://bugs.gentoo.org/880629
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-02.xml | 107 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)