Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://seclists.org/fulldisclosure/2015/Oct/4
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321

Use CVE-2015-8557.


> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c2
> python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c5
> The old patch caused problems. Here's a better upstream patch

As far as we can tell, the old patch used shlex.quote whereas the new
patch has a different solution involving subprocess.Popen. If
python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote
didn't adequately protect against command injection, then there should
be a second CVE ID for that vulnerability. Otherwise, we'll interpret
"old patch caused problems" to mean usability problems.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBCAAGBQJWbzOhAAoJEL54rhJi8gl5AH4P93kGsVRmy5xreW4IaM1cI09g
3WYA0b2JIDcrJXsNPT1KE4MFON5BKResTBbv+PKde0WRqHKgDUf4q5WexcaPFCjs
WgMo0mIj1Ab0P6j1xGeu6WNzmAMFdE1e0+9rupmDd0V1Aq1PnvYTVIxmKugvaV00
hK5tnY0jkYIyO7GfGTY3PGBmE8juFVA60aEsAozRGlETYHS3XqE3bMBzvHlarZ8o
7ZRWV8VEoh+j3mxTV6ib7WLTZhT4Rzf+phwQSaEDrnGAJYy7RLh1VHZzsgdBdCyZ
cBYBcV0hPfXg3sC81zxYUPTB8L3Z701nnAJ0kV3tzUQiHjFEgI4P8kNVslOy+jrX
IuXFMlh4Vba1mmkMfGjf633MP0HVhqmIyBgngyV50dL8Kc4lSAnKB1Ict8ruwDI+
bz9F/MEez5y1HTC1wniR3IwbxuMaobCjYfF7NhJe0gXcC7V+DpwMOUFTwIvIFeFc
lrt4MyRCvh9DUzp70Kz++WGIEs59h4P9MpX/AzL2J/85UPJOPLvRVm+GSh1zIL13
YNJRCpN0Q/SdBa5US2pPDccVcHpxKFXqu/ETS518yJDKpElXqKkmvXgy6P0yege9
slhUQg1Ol6k4axkeo/BlO6z1CqHuT4EM1mzPM4ujINZXX2bKBRMxaZVyL1xVnL89
XVfC0et5dVwCnahrD48=
=sPew
-----END PGP SIGNATURE-----