Re: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path

[Stefan Cornelius <scorneli () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 14 Dec 2015 16:37:45 -0500 (EST)
cve-assign () mitre org wrote:

> As far as we can tell, the old patch used shlex.quote whereas the new
> patch has a different solution involving subprocess.Popen. If
> python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote
> didn't adequately protect against command injection, then there should
> be a second CVE ID for that vulnerability. Otherwise, we'll interpret
> "old patch caused problems" to mean usability problems.

The problem with the initial shlex.quote upstream patch is that it's
only available in certain Python versions (introduced with 3.3?). While
this would provide sufficient protection for Python versions with
shlex.quote, older Python versions would throw an error when trying to
interpret the relevant code section.

The updated Fedora packages use yet another patch, which checks if
shlex.quote is available and uses pipes.quote as fallback alternative,
so Fedora does not need a new CVE.

Thanks,
- -- 
Stefan Cornelius / Red Hat Product Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWb+h+AAoJEETwiYCjVSmPpcUH/1s000Nse+CrniN7RnFW4H1R
0/FvG9aP9PmW65rC9ofFJGUDluN2YNvA6L5QHIhXFwd378Vy6u+SVGj7JB62EwCb
2B4pb/hjM+FnbEUoLCvpjrXdyqO8o1ddpegOWVMGoIPjcOg6yvtYdWdNSUJkQ468
rtkxb7dWZ9naQx3qAa6qZ3N2ZComgkaO7Id+kuYEyAzNXs618AhglmfMZRBrGHQ+
oBEHSihGTDBEzej7OqFTP4I7h5X9KwdiyxjKHkp+np0hJUEOPREVKI7ZGBnoF2X0
da2DJ/F7cGlQpqjLvnSM/s08GLJsOaGGMP+bwrGUb3aTQTpuNiV74U5grB91RGw=
=jq01
-----END PGP SIGNATURE-----