In CPython through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
The aforementioned problem also affects the legacy python 2. As python 2 is not entirely retired in AOSC OS, a backport of patch is recommended.
CVE IDs
CVE-2015-20107
Other security advisory IDs
https://bugs.python.org/issue24778
Description
The aforementioned problem also affects the legacy python 2. As python 2 is not entirely retired in AOSC OS, a backport of patch is recommended.
See also #4305
Patches
See https://github.com/AOSC-Dev/aosc-os-abbs/pull/4290/commits/f788a9c9517e20949a8a6d3eca3b7f433b476001
PoC(s)
N/A