A command injection vulnerability was found in the shutil module (make_archive function) of Python that can result in Denial of Service or Information leak.
Created python26 tracking bugs for this issue:
Affects: fedora-all [bug 1631421]
While python26 is not impacted, python2 actually is.
Here's a PR: https://src.fedoraproject.org/rpms/python2/pull-request/26
Created python2 tracking bugs for this issue:
Affects: fedora-all [bug 1631662]
Why are you saying that python2 is affected on Fedora?
I'm asking because I wasn't able to reproduce this flaw on Linux and I believe it can be triggered on Windows only. Do you have more information on this?
Oh. I only meant that the code is in 2.7, I haven't checked that the flaw is actually usable or Python 2.7 on Linux vulnerable.
This doesn't seem to be exploitable when os.name != 'nt' (Windows). The main problem is that quoting is done in distutils.py/spawn.py:_nt_quote_args and it just wraps arguments in `"`, without escaping previous existing `"`. Moreover, os.spawn in Windows uses CreateProcess underneath, which transforms the list of arguments in a single string, thus creating this flaw there. On linux, execv family functions are used and each argument is interpreted as a single filename, preventing this flaw.
This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7 as Linux does not use the vulnerable code.