Bug 1276321 - (CVE-2015-8557) CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1276325
Blocks: 1276324
  Show dependency treegraph
Reported: 2015-10-29 09:05 EDT by Adam Mariš
Modified: 2016-04-26 19:33 EDT (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-11 00:25:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-10-29 09:05:07 EDT
An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.

Vulnerable code:

def _get_nix_font_path(self, name, style):
        from commands import getstatusoutput
    except ImportError:
        from subprocess import getstatusoutput
    exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
                                (name, style))
    if not exit:
        lines = out.splitlines()
        if lines:
            path = lines[0].strip().strip(':')
            return path

Upstream patch:

Comment 1 Adam Mariš 2015-10-29 09:09:10 EDT
Created python-pygments tracking bugs for this issue:

Affects: fedora-all [bug 1276325]
Comment 2 Fedora Update System 2015-11-17 10:52:28 EST
python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Stefan Cornelius 2015-12-14 08:21:34 EST
The old patch caused problems. Here's a better upstream patch:

EDIT: This is only relevant to the upstream patches and is related to the availability of shlex.quote across different Python versions, which could cause an error in older Python versions. The patches used in Fedora are not affected by this problem.
Comment 6 Stefan Cornelius 2015-12-15 05:43:01 EST
This is only a problem if you use the image formatters and allow attackers to provide a specially crafted font name. No package shipped with RHEL provides a suitable vector for this attack.

Note You need to log in before you can comment on or make changes to this bug.