Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Dec 2015 16:37:45 -0500 (EST)
From: cve-assign@...re.org
To: scorneli@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://seclists.org/fulldisclosure/2015/Oct/4
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321

Use CVE-2015-8557.


> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c2
> python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c5
> The old patch caused problems. Here's a better upstream patch

As far as we can tell, the old patch used shlex.quote whereas the new
patch has a different solution involving subprocess.Popen. If
python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote
didn't adequately protect against command injection, then there should
be a second CVE ID for that vulnerability. Otherwise, we'll interpret
"old patch caused problems" to mean usability problems.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBCAAGBQJWbzOhAAoJEL54rhJi8gl5AH4P93kGsVRmy5xreW4IaM1cI09g
3WYA0b2JIDcrJXsNPT1KE4MFON5BKResTBbv+PKde0WRqHKgDUf4q5WexcaPFCjs
WgMo0mIj1Ab0P6j1xGeu6WNzmAMFdE1e0+9rupmDd0V1Aq1PnvYTVIxmKugvaV00
hK5tnY0jkYIyO7GfGTY3PGBmE8juFVA60aEsAozRGlETYHS3XqE3bMBzvHlarZ8o
7ZRWV8VEoh+j3mxTV6ib7WLTZhT4Rzf+phwQSaEDrnGAJYy7RLh1VHZzsgdBdCyZ
cBYBcV0hPfXg3sC81zxYUPTB8L3Z701nnAJ0kV3tzUQiHjFEgI4P8kNVslOy+jrX
IuXFMlh4Vba1mmkMfGjf633MP0HVhqmIyBgngyV50dL8Kc4lSAnKB1Ict8ruwDI+
bz9F/MEez5y1HTC1wniR3IwbxuMaobCjYfF7NhJe0gXcC7V+DpwMOUFTwIvIFeFc
lrt4MyRCvh9DUzp70Kz++WGIEs59h4P9MpX/AzL2J/85UPJOPLvRVm+GSh1zIL13
YNJRCpN0Q/SdBa5US2pPDccVcHpxKFXqu/ETS518yJDKpElXqKkmvXgy6P0yege9
slhUQg1Ol6k4axkeo/BlO6z1CqHuT4EM1mzPM4ujINZXX2bKBRMxaZVyL1xVnL89
XVfC0et5dVwCnahrD48=
=sPew
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.