A command injection vulnerability was found in the shutil module (make_archive function) of Python that can result in Denial of Service or Information leak. Upstream issue: https://bugs.python.org/issue34540 Upstream patch: https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1631421]
While python26 is not impacted, python2 actually is. Here's a PR: https://src.fedoraproject.org/rpms/python2/pull-request/26
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1631662]
Hi Miro, Why are you saying that python2 is affected on Fedora? I'm asking because I wasn't able to reproduce this flaw on Linux and I believe it can be triggered on Windows only. Do you have more information on this?
Oh. I only meant that the code is in 2.7, I haven't checked that the flaw is actually usable or Python 2.7 on Linux vulnerable.
This doesn't seem to be exploitable when os.name != 'nt' (Windows). The main problem is that quoting is done in distutils.py/spawn.py:_nt_quote_args and it just wraps arguments in `"`, without escaping previous existing `"`. Moreover, os.spawn in Windows uses CreateProcess underneath, which transforms the list of arguments in a single string, thus creating this flaw there. On linux, execv family functions are used and each argument is interpreted as a single filename, preventing this flaw.
Statement: This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7 as Linux does not use the vulnerable code.