Bug 1276321 (CVE-2015-8557)

Summary: CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, carnil, ceph-eng-bugs, chrisw, dallan, gkotton, gmollett, jorton, jschluet, lbalhar, lhh, lpeer, markmc, mmaslano, python-maint, rbryant, rhos-maint, sclewis, smilner, tdecacqu, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-11 05:25:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1276325    
Bug Blocks: 1276324    

Description Adam Mariš 2015-10-29 13:05:07 UTC 
An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.

Vulnerable code:

def _get_nix_font_path(self, name, style):
    try:
        from commands import getstatusoutput
    except ImportError:
        from subprocess import getstatusoutput
    exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
                                (name, style))
    if not exit:
        lines = out.splitlines()
        if lines:
            path = lines[0].strip().strip(':')
            return path

Upstream patch:

https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8
Comment 1 Adam Mariš 2015-10-29 13:09:10 UTC 
Created python-pygments tracking bugs for this issue:

Affects: fedora-all [bug 1276325]
Comment 2 Fedora Update System 2015-11-17 15:52:28 UTC 
python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Stefan Cornelius 2015-12-14 13:21:34 UTC 
The old patch caused problems. Here's a better upstream patch:
https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8

EDIT: This is only relevant to the upstream patches and is related to the availability of shlex.quote across different Python versions, which could cause an error in older Python versions. The patches used in Fedora are not affected by this problem.
Comment 6 Stefan Cornelius 2015-12-15 10:43:01 UTC 
This is only a problem if you use the image formatters and allow attackers to provide a specially crafted font name. No package shipped with RHEL provides a suitable vector for this attack.