Bug 2075390 (CVE-2015-20107) - CVE-2015-20107 python: mailcap: findmatch() function does not sanitize the second argument
Summary: CVE-2015-20107 python: mailcap: findmatch() function does not sanitize the se...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-20107
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2076507 2076508 2076509 2076510 2076511 2076512 2076513 2076514 2076515 2076516 2076526 2076530 2076531 2076532 2076533 2077865 2077866 2077867 2077868 2077869 2077871 2077872 2077873 2077874 2077875 2077876 2077877 2084457 2125237
Blocks: 2075391
TreeView+ depends on / blocked
 
Reported: 2022-04-14 05:03 UTC by Sandipan Roy
Modified: 2024-03-05 18:46 UTC (History)
14 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-12-05 01:32:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github python cpython pull 91542 0 None open gh-68966: Fix CVE-2015-20107 in mailcap 2022-04-20 12:34:21 UTC
Github python cpython pull 91993 0 None Draft gh-68966: Make mailcap refuse to match unsafe filenames/types/params 2022-04-27 16:33:23 UTC
Red Hat Product Errata RHSA-2022:6457 0 None None None 2022-09-13 09:45:21 UTC
Red Hat Product Errata RHSA-2022:6766 0 None None None 2022-10-03 15:20:01 UTC
Red Hat Product Errata RHSA-2022:7581 0 None None None 2022-11-08 09:44:08 UTC
Red Hat Product Errata RHSA-2022:7592 0 None None None 2022-11-08 09:46:36 UTC
Red Hat Product Errata RHSA-2022:7593 0 None None None 2022-11-08 09:46:39 UTC
Red Hat Product Errata RHSA-2022:8353 0 None None None 2022-11-15 11:01:38 UTC

Description Sandipan Roy 2022-04-14 05:03:43 UTC 
A command injection vulnerability was found in Python 2.x and 3.x, specifically within the mailcap module. Mailcap core-module is based on the format documented in RFC 1524. The “findmatch()” function does not sanitise the second argument (filename). As a result, the legitimate command (that is used for opening the specified mime type) is concatenated with an arbitrary command, injected by an attacker.
Comment 1 Sandipan Roy 2022-04-18 04:58:25 UTC 
Ref:
https://github.com/python/cpython/issues/68966
https://bugs.python.org/issue24778
Comment 2 Victor Stinner 2022-04-19 08:34:56 UTC 
Public announcement: https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/
Comment 3 Sandipan Roy 2022-04-19 09:01:05 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2076508]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076509]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 2076510]


Created python3.11 tracking bugs for this issue:

Affects: fedora-all [bug 2076511]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2076512]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2076513]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076514]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076515]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076516]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 2076507]
Comment 4 Sandipan Roy 2022-04-19 09:40:09 UTC 
Created pypy3 tracking bugs for this issue:

Affects: fedora-34 [bug 2076526]
Comment 5 Sandipan Roy 2022-04-19 09:46:17 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 2076533]


Created pypy3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2076530]


Created pypy3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2076531]


Created pypy3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2076532]
Comment 12 Petr Viktorin (pviktori) 2022-04-27 16:33:23 UTC 
Here's a possible solution -- make mailcap fail to match with unsafe filenames: https://github.com/python/cpython/pull/91993
WDYT?
Comment 15 errata-xmlrpc 2022-09-13 09:45:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6457 https://access.redhat.com/errata/RHSA-2022:6457
Comment 16 errata-xmlrpc 2022-10-03 15:19:58 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6766 https://access.redhat.com/errata/RHSA-2022:6766
Comment 17 errata-xmlrpc 2022-11-08 09:44:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7581 https://access.redhat.com/errata/RHSA-2022:7581
Comment 18 errata-xmlrpc 2022-11-08 09:46:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7592 https://access.redhat.com/errata/RHSA-2022:7592
Comment 19 errata-xmlrpc 2022-11-08 09:46:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7593 https://access.redhat.com/errata/RHSA-2022:7593
Comment 20 errata-xmlrpc 2022-11-15 11:01:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8353 https://access.redhat.com/errata/RHSA-2022:8353
Comment 21 Product Security DevOps Team 2022-12-05 01:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-20107
Note You need to log in before you can comment on or make changes to this bug.