Bug 2075390 (CVE-2015-20107) - CVE-2015-20107 python: mailcap: findmatch() function does not sanitize the second argument
Summary: CVE-2015-20107 python: mailcap: findmatch() function does not sanitize the se...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-20107
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2076507 2076508 2076509 2076510 2076511 2076512 2076513 2076514 2076515 2076516 2076526 2076530 2076531 2076532 2076533 2077865 2077866 2077867 2077868 2077869 2077871 2077872 2077873 2077874 2077875 2077876 2077877 2084457 2125237
Blocks: 2075391
TreeView+ depends on / blocked
 
Reported: 2022-04-14 05:03 UTC by Sandipan Roy
Modified: 2022-12-05 01:32 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A command injection vulnerability was found in the Python mailcap module. The issue occurs due to not adding escape characters into the system mailcap file commands. This flaw allows attackers to inject shell commands into applications that call the mailcap.findmatch function with untrusted input.
Clone Of:
Environment:
Last Closed: 2022-12-05 01:32:53 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython pull 91542 0 None open gh-68966: Fix CVE-2015-20107 in mailcap 2022-04-20 12:34:21 UTC
Github python cpython pull 91993 0 None Draft gh-68966: Make mailcap refuse to match unsafe filenames/types/params 2022-04-27 16:33:23 UTC
Red Hat Product Errata RHSA-2022:6457 0 None None None 2022-09-13 09:45:21 UTC
Red Hat Product Errata RHSA-2022:6766 0 None None None 2022-10-03 15:20:01 UTC
Red Hat Product Errata RHSA-2022:7581 0 None None None 2022-11-08 09:44:08 UTC
Red Hat Product Errata RHSA-2022:7592 0 None None None 2022-11-08 09:46:36 UTC
Red Hat Product Errata RHSA-2022:7593 0 None None None 2022-11-08 09:46:39 UTC
Red Hat Product Errata RHSA-2022:8353 0 None None None 2022-11-15 11:01:38 UTC

Description Sandipan Roy 2022-04-14 05:03:43 UTC
A command injection vulnerability was found in Python 2.x and 3.x, specifically within the mailcap module. Mailcap core-module is based on the format documented in RFC 1524. The “findmatch()” function does not sanitise the second argument (filename). As a result, the legitimate command (that is used for opening the specified mime type) is concatenated with an arbitrary command, injected by an attacker.

Comment 3 Sandipan Roy 2022-04-19 09:01:05 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2076508]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076509]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2076510]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2076511]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2076512]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2076513]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076514]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076515]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076516]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2076507]

Comment 4 Sandipan Roy 2022-04-19 09:40:09 UTC
Created pypy3 tracking bugs for this issue:

Affects: fedora-34 [bug 2076526]

Comment 5 Sandipan Roy 2022-04-19 09:46:17 UTC
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2076533]


Created pypy3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076530]


Created pypy3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076531]


Created pypy3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076532]

Comment 12 Petr Viktorin 2022-04-27 16:33:23 UTC
Here's a possible solution -- make mailcap fail to match with unsafe filenames: https://github.com/python/cpython/pull/91993
WDYT?

Comment 15 errata-xmlrpc 2022-09-13 09:45:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457

Comment 16 errata-xmlrpc 2022-10-03 15:19:58 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766

Comment 17 errata-xmlrpc 2022-11-08 09:44:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7581 https://access.redhat.com/errata/RHSA-2022:7581

Comment 18 errata-xmlrpc 2022-11-08 09:46:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7592 https://access.redhat.com/errata/RHSA-2022:7592

Comment 19 errata-xmlrpc 2022-11-08 09:46:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7593 https://access.redhat.com/errata/RHSA-2022:7593

Comment 20 errata-xmlrpc 2022-11-15 11:01:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8353 https://access.redhat.com/errata/RHSA-2022:8353

Comment 21 Product Security DevOps Team 2022-12-05 01:32:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-20107


Note You need to log in before you can comment on or make changes to this bug.