oss-sec mailing list archives
Re: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path
From: Stefan Cornelius <scorneli () redhat com>
Date: Tue, 15 Dec 2015 11:16:30 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 14 Dec 2015 16:37:45 -0500 (EST) cve-assign () mitre org wrote:
As far as we can tell, the old patch used shlex.quote whereas the new patch has a different solution involving subprocess.Popen. If python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote didn't adequately protect against command injection, then there should be a second CVE ID for that vulnerability. Otherwise, we'll interpret "old patch caused problems" to mean usability problems.
The problem with the initial shlex.quote upstream patch is that it's only available in certain Python versions (introduced with 3.3?). While this would provide sufficient protection for Python versions with shlex.quote, older Python versions would throw an error when trying to interpret the relevant code section. The updated Fedora packages use yet another patch, which checks if shlex.quote is available and uses pipes.quote as fallback alternative, so Fedora does not need a new CVE. Thanks, - -- Stefan Cornelius / Red Hat Product Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWb+h+AAoJEETwiYCjVSmPpcUH/1s000Nse+CrniN7RnFW4H1R 0/FvG9aP9PmW65rC9ofFJGUDluN2YNvA6L5QHIhXFwd378Vy6u+SVGj7JB62EwCb 2B4pb/hjM+FnbEUoLCvpjrXdyqO8o1ddpegOWVMGoIPjcOg6yvtYdWdNSUJkQ468 rtkxb7dWZ9naQx3qAa6qZ3N2ZComgkaO7Id+kuYEyAzNXs618AhglmfMZRBrGHQ+ oBEHSihGTDBEzej7OqFTP4I7h5X9KwdiyxjKHkp+np0hJUEOPREVKI7ZGBnoF2X0 da2DJ/F7cGlQpqjLvnSM/s08GLJsOaGGMP+bwrGUb3aTQTpuNiV74U5grB91RGw= =jq01 -----END PGP SIGNATURE-----
Current thread:
- CVE request: Shell Injection in Pygments FontManager._get_nix_font_path Stefan Cornelius (Dec 14)
- Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path cve-assign (Dec 14)
- Re: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path Stefan Cornelius (Dec 15)
- Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path cve-assign (Dec 14)