CVE Request -- autojump: autojump profile will load random stuff from a directory called custom_install

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Kurt, Steve, vendors,

  a security flaw was found in the way autojump, a tool for faster filesystem
navigation from the command line, used to honour content of custom_install
directory when global and local autojump installations were not found,
and $SHELL variable was unset or set to different value than bash or zsh.
If an unsuspecting autojump user was tricked into running autojump script
from the directory a local attacker has write access to, this flaw could be
used for arbitrary (Python) code execution with the privileges of the user
running the autojump binary / script.

Relevant (final) upstream patches are as follows:
[1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
[2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a

References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=950777

Credit: This issue was found and reported to Red Hat Bugzilla [3] by Zbigniew Jędrzejewski-Szmek.
        Thanks also goes to Jan Pokorny for bringing this one to my attention,
        and to William Ting of autojump upstream for promptly fixing the issue.

Could you allocate a CVE identifier for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team