Bug 2075390 (CVE-2015-20107)

Summary: CVE-2015-20107 python: mailcap: findmatch() function does not sanitize the second argument
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl, cstratak, hhorak, jorton, manisandro, mhroncok, pviktori, python-maint, python-sig, security-response-team, thrnciar, TicoTimo, torsava, vstinner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A command injection vulnerability was found in the Python mailcap module. The issue occurs due to not adding escape characters into the system mailcap file commands. This flaw allows attackers to inject shell commands into applications that call the mailcap.findmatch function with untrusted input.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-05 01:32:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2076507, 2076508, 2076509, 2076510, 2076511, 2076512, 2076513, 2076514, 2076515, 2076516, 2076526, 2076530, 2076531, 2076532, 2076533, 2077865, 2077866, 2077867, 2077868, 2077869, 2077871, 2077872, 2077873, 2077874, 2077875, 2077876, 2077877, 2084457, 2125237    
Bug Blocks: 2075391    

Description Sandipan Roy 2022-04-14 05:03:43 UTC 
A command injection vulnerability was found in Python 2.x and 3.x, specifically within the mailcap module. Mailcap core-module is based on the format documented in RFC 1524. The “findmatch()” function does not sanitise the second argument (filename). As a result, the legitimate command (that is used for opening the specified mime type) is concatenated with an arbitrary command, injected by an attacker.
Comment 1 Sandipan Roy 2022-04-18 04:58:25 UTC 
Ref:
https://github.com/python/cpython/issues/68966
https://bugs.python.org/issue24778
Comment 2 Victor Stinner 2022-04-19 08:34:56 UTC 
Public announcement: https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/
Comment 3 Sandipan Roy 2022-04-19 09:01:05 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2076508]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076509]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2076510]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2076511]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2076512]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2076513]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076514]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076515]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076516]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2076507]
Comment 4 Sandipan Roy 2022-04-19 09:40:09 UTC 
Created pypy3 tracking bugs for this issue:

Affects: fedora-34 [bug 2076526]
Comment 5 Sandipan Roy 2022-04-19 09:46:17 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2076533]


Created pypy3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076530]


Created pypy3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076531]


Created pypy3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076532]
Comment 12 Petr Viktorin (pviktori) 2022-04-27 16:33:23 UTC 
Here's a possible solution -- make mailcap fail to match with unsafe filenames: https://github.com/python/cpython/pull/91993
WDYT?
Comment 15 errata-xmlrpc 2022-09-13 09:45:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457
Comment 16 errata-xmlrpc 2022-10-03 15:19:58 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766
Comment 17 errata-xmlrpc 2022-11-08 09:44:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7581 https://access.redhat.com/errata/RHSA-2022:7581
Comment 18 errata-xmlrpc 2022-11-08 09:46:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7592 https://access.redhat.com/errata/RHSA-2022:7592
Comment 19 errata-xmlrpc 2022-11-08 09:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7593 https://access.redhat.com/errata/RHSA-2022:7593
Comment 20 errata-xmlrpc 2022-11-15 11:01:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8353 https://access.redhat.com/errata/RHSA-2022:8353
Comment 21 Product Security DevOps Team 2022-12-05 01:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-20107