Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838250 (CVE-2015-20107) - <dev-lang/python-{3.8.13_p5,3.9.13_p2,3.10.6_p1} <dev-python/pypy3-7.3.9_p5: mailcap.findmatch on untrusted filenames leads to command injection
Summary: <dev-lang/python-{3.8.13_p5,3.9.13_p2,3.10.6_p1} <dev-python/pypy3-7.3.9_p5: ...
Status: IN_PROGRESS
Alias: CVE-2015-20107
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.python.org/issue24778
Whiteboard: A2 [glsa]
Keywords:
Depends on: 864741 864743 864745 864781
Blocks:
  Show dependency tree
 
Reported: 2022-04-13 19:22 UTC by John Helmert III
Modified: 2022-11-19 01:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 19:22:55 UTC
CVE-2015-20107 (https://github.com/python/cpython/issues/68966):

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 21:57:25 UTC
Looks like a fix made it into mainline as:

https://github.com/python/cpython/commit/b9509ba7a9c668b984dab876c7926fe1dc5aa0ba

Which has made it into 3.9.13, 3.10.5, and 3.11.0.
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 05:43:06 UTC
(In reply to John Helmert III from comment #1)
> Looks like a fix made it into mainline as:
> 
> https://github.com/python/cpython/commit/
> b9509ba7a9c668b984dab876c7926fe1dc5aa0ba
> 
> Which has made it into 3.9.13, 3.10.5, and 3.11.0.

I don't see it in 3.9 or 3.10.  FWICS the only thing that has happened for the old versions was adding a warning about the module being deprecated in Python 3.11.  FWICS, the docs even don't warn about the actual problem.
Comment 3 Larry the Git Cow gentoo-dev 2022-08-10 06:02:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36063b2db18e7ab9604a7d876d74494a7883f2b0

commit 36063b2db18e7ab9604a7d876d74494a7883f2b0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:57:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.8.13_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.8.13_p5.ebuild | 349 ++++++++++++++++++++++++++++++++
 2 files changed, 350 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ac85939cdee26b89aeb9e500d97d3c798a1f57f

commit 2ac85939cdee26b89aeb9e500d97d3c798a1f57f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:51:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:31 +0000

    dev-lang/python: Backport secfixes to 3.9.13_p2
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.9.13_p2.ebuild | 403 ++++++++++++++++++++++++++++++++
 2 files changed, 404 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5d0362c64a98b15d274ae5de7962fc5cb6974af

commit f5d0362c64a98b15d274ae5de7962fc5cb6974af
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 05:46:26 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 06:02:30 +0000

    dev-lang/python: Backport mailcap secfix to 3.10.6_p1
    
    Bug: https://bugs.gentoo.org/838250
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-lang/python/Manifest                |   1 +
 dev-lang/python/python-3.10.6_p1.ebuild | 408 ++++++++++++++++++++++++++++++++
 2 files changed, 409 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2022-08-10 09:31:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53de9a0c1a9392749b46e9b326516023b3dcbcdc

commit 53de9a0c1a9392749b46e9b326516023b3dcbcdc
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2022-08-10 09:28:47 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2022-08-10 09:28:47 +0000

    dev-python/pypy3: Backport secfixes to 7.3.9_p5
    
    Bug: https://bugs.gentoo.org/834533
    Bug: https://bugs.gentoo.org/838250
    Bug: https://bugs.gentoo.org/864747
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pypy3/Manifest              |   1 +
 dev-python/pypy3/pypy3-7.3.9_p5.ebuild | 210 +++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:59:35 UTC
Python 2.7 is affected too.
Comment 6 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-08-25 07:43:02 UTC
cleanup done.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-19 01:15:36 UTC
GLSA requested