[CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter

[3077c527-db90-456b-9bc4-abba055100b5]

BPO	24778
Nosy	@vstinner, @bitdancer
Files	screenshot.png The Quote Problem.py mailcap patch.zip: mailcap.py patches and diffs for python2.7 and python 3.5

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = None closed_at = None created_at = labels = ['type-security', '3.11', 'library', 'docs'] title = 'mailcap.findmatch: document shell command Injection danger in filename parameter' updated_at = user = 'https://bugs.python.org/TheRegRunner' ``` bugs.python.org fields: ```python activity = actor = 'vstinner' assignee = 'docs@python' closed = False closed_date = None closer = None components = ['Documentation', 'Library (Lib)'] creation = creator = 'TheRegRunner' dependencies = [] files = ['40099', '40116', '40897'] hgrepos = [] issue_num = 24778 keywords = [] message_count = 14.0 messages = ['247857', '247861', '247944', '247946', '247951', '247979', '247992', '248058', '248061', '248062', '248070', '248074', '253689', '416878'] nosy_count = 4.0 nosy_names = ['vstinner', 'r.david.murray', 'docs@python', 'TheRegRunner'] pr_nums = [] priority = 'normal' resolution = None stage = None status = 'open' superseder = None type = 'security' url = 'https://bugs.python.org/issue24778' versions = ['Python 3.11'] ```

Linked PRs

• gh-105298
• gh-105299
• gh-105300

[ambv]

No idea what Anaconda does, you need to ask them. As for CPython, our process is that a fix lands in main first and then gets progressively backported. In the case of the fix in question, 3.9 and older backports happened after the previous round of releases was cut.

Per PEP 619 the next 3.10 bugfix release is scheduled for December 5th and the other release managers synchronized their calendars to release 3.7 - 3.12 on that day.

[ambv]

And by the way, on this issue you see the PRs for the backports mentioned with their respective branch in links like these:

[vstinner]

@ambv can you list the versions in which this is fixed for 3.7, 3.8, 3.9? The doc by @vstinner still is missing this info.

https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html seems to be up to date, no?

Fixed In

• Python 3.10.8 (2022-10-11) fixed by commit 96739bc (branch 3.10) (2022-09-20)
• Python 3.11.0 (2022-10-24) fixed by commit fae93ab (branch 3.11) (2022-06-03)

Vulnerable Versions

• Python 3.7 (need release)
• Python 3.8 (need release)
• Python 3.9 (need release)

@ambv announced the next batch of releases. In general, I look at release PEPs in https://devguide.python.org/versions/ for estimated release dates.

[katrielkap]

Hey, can you update the Known Affected Software Configurations (CPE) in the CVE to the correct one as mentioned below and also mention the older unfixed versions in the CPE as well ?

Fixed In Python 3.10.8 (2022-10-11) fixed by commit 96739bc (branch 3.10) (2022-09-20) Python 3.11.0 (2022-10-24) fixed by commit fae93ab (branch 3.11) (2022-06-03)

Also @vstinner , It seems like https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html is not up-to-date - "In Python (aka CPython) through 3.10.4".

[vstinner]

Also @vstinner , It seems like https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html is not up-to-date - "In Python (aka CPython) through 3.10.4".

My tool just copies what the CVE says.