Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Dec 2015 11:16:30 +0100
From: Stefan Cornelius <scorneli@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: Shell Injection in Pygments
 FontManager._get_nix_font_path

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, 14 Dec 2015 16:37:45 -0500 (EST)
cve-assign@...re.org wrote:

> As far as we can tell, the old patch used shlex.quote whereas the new
> patch has a different solution involving subprocess.Popen. If
> python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote
> didn't adequately protect against command injection, then there should
> be a second CVE ID for that vulnerability. Otherwise, we'll interpret
> "old patch caused problems" to mean usability problems.

The problem with the initial shlex.quote upstream patch is that it's
only available in certain Python versions (introduced with 3.3?). While
this would provide sufficient protection for Python versions with
shlex.quote, older Python versions would throw an error when trying to
interpret the relevant code section.

The updated Fedora packages use yet another patch, which checks if
shlex.quote is available and uses pipes.quote as fallback alternative,
so Fedora does not need a new CVE.

Thanks,
- -- 
Stefan Cornelius / Red Hat Product Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWb+h+AAoJEETwiYCjVSmPpcUH/1s000Nse+CrniN7RnFW4H1R
0/FvG9aP9PmW65rC9ofFJGUDluN2YNvA6L5QHIhXFwd378Vy6u+SVGj7JB62EwCb
2B4pb/hjM+FnbEUoLCvpjrXdyqO8o1ddpegOWVMGoIPjcOg6yvtYdWdNSUJkQ468
rtkxb7dWZ9naQx3qAa6qZ3N2ZComgkaO7Id+kuYEyAzNXs618AhglmfMZRBrGHQ+
oBEHSihGTDBEzej7OqFTP4I7h5X9KwdiyxjKHkp+np0hJUEOPREVKI7ZGBnoF2X0
da2DJ/F7cGlQpqjLvnSM/s08GLJsOaGGMP+bwrGUb3aTQTpuNiV74U5grB91RGw=
=jq01
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ