oss-sec mailing list archives

CVE request: python-gnupg before 0.3.5 shell injection

From: Hanno Böck <hanno () hboeck de>
Date: Tue, 4 Feb 2014 10:35:46 +0100

Hi,

I was criticised in the past for making CVE requests without enough
information. This is another case where I have a hard time complying to
them.

python-gnupg 0.3.5 lists in the changelog:
"Added improved shell quoting to guard against shell injection."
Source: https://code.google.com/p/python-gnupg/

Sounds like a severe security issue, but further info is lacking.
python-gnupg has no public source code repository, so I can't link to
any commit. I could obviously download the last and current version,
diff them and try to find out. But that's quite a lot of work for a CVE
request.

Despite the lack of info, please assign CVE, as I think it's a severe
issue.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

CVE request: python-gnupg before 0.3.5 shell injection Hanno Böck (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
  - Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
    - Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
    - Re: CVE request: python-gnupg before 0.3.5 shell injection Henri Salo (Feb 04)
    - Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 04)
    - Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
    - Re: Re: CVE request: python-gnupg before 0.3.5 shell injection Florian Weimer (Feb 05)
    - Re: CVE request: python-gnupg before 0.3.5 shell injection Vinay Sajip (Feb 05)
  - Re: CVE request: python-gnupg before 0.3.5 shell injection Matthew Daley (Feb 04)
- Re: CVE request: python-gnupg before 0.3.5 shell injection Hanno Böck (Feb 06)

(Thread continues...)