oss-sec mailing list archives
Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path
From: cve-assign () mitre org
Date: Mon, 14 Dec 2015 16:37:45 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://seclists.org/fulldisclosure/2015/Oct/4 https://bugzilla.redhat.com/show_bug.cgi?id=1276321
Use CVE-2015-8557.
https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c2 python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c5 The old patch caused problems. Here's a better upstream patch
As far as we can tell, the old patch used shlex.quote whereas the new patch has a different solution involving subprocess.Popen. If python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote didn't adequately protect against command injection, then there should be a second CVE ID for that vulnerability. Otherwise, we'll interpret "old patch caused problems" to mean usability problems. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIbBAEBCAAGBQJWbzOhAAoJEL54rhJi8gl5AH4P93kGsVRmy5xreW4IaM1cI09g 3WYA0b2JIDcrJXsNPT1KE4MFON5BKResTBbv+PKde0WRqHKgDUf4q5WexcaPFCjs WgMo0mIj1Ab0P6j1xGeu6WNzmAMFdE1e0+9rupmDd0V1Aq1PnvYTVIxmKugvaV00 hK5tnY0jkYIyO7GfGTY3PGBmE8juFVA60aEsAozRGlETYHS3XqE3bMBzvHlarZ8o 7ZRWV8VEoh+j3mxTV6ib7WLTZhT4Rzf+phwQSaEDrnGAJYy7RLh1VHZzsgdBdCyZ cBYBcV0hPfXg3sC81zxYUPTB8L3Z701nnAJ0kV3tzUQiHjFEgI4P8kNVslOy+jrX IuXFMlh4Vba1mmkMfGjf633MP0HVhqmIyBgngyV50dL8Kc4lSAnKB1Ict8ruwDI+ bz9F/MEez5y1HTC1wniR3IwbxuMaobCjYfF7NhJe0gXcC7V+DpwMOUFTwIvIFeFc lrt4MyRCvh9DUzp70Kz++WGIEs59h4P9MpX/AzL2J/85UPJOPLvRVm+GSh1zIL13 YNJRCpN0Q/SdBa5US2pPDccVcHpxKFXqu/ETS518yJDKpElXqKkmvXgy6P0yege9 slhUQg1Ol6k4axkeo/BlO6z1CqHuT4EM1mzPM4ujINZXX2bKBRMxaZVyL1xVnL89 XVfC0et5dVwCnahrD48= =sPew -----END PGP SIGNATURE-----
Current thread:
- CVE request: Shell Injection in Pygments FontManager._get_nix_font_path Stefan Cornelius (Dec 14)
- Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path cve-assign (Dec 14)
- Re: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path Stefan Cornelius (Dec 15)
- Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path cve-assign (Dec 14)