Date: Tue, 15 Dec 2015 11:16:30 +0100 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 14 Dec 2015 16:37:45 -0500 (EST) cve-assign@...re.org wrote: > As far as we can tell, the old patch used shlex.quote whereas the new > patch has a different solution involving subprocess.Popen. If > python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote > didn't adequately protect against command injection, then there should > be a second CVE ID for that vulnerability. Otherwise, we'll interpret > "old patch caused problems" to mean usability problems. The problem with the initial shlex.quote upstream patch is that it's only available in certain Python versions (introduced with 3.3?). While this would provide sufficient protection for Python versions with shlex.quote, older Python versions would throw an error when trying to interpret the relevant code section. The updated Fedora packages use yet another patch, which checks if shlex.quote is available and uses pipes.quote as fallback alternative, so Fedora does not need a new CVE. Thanks, - -- Stefan Cornelius / Red Hat Product Security -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWb+h+AAoJEETwiYCjVSmPpcUH/1s000Nse+CrniN7RnFW4H1R 0/FvG9aP9PmW65rC9ofFJGUDluN2YNvA6L5QHIhXFwd378Vy6u+SVGj7JB62EwCb 2B4pb/hjM+FnbEUoLCvpjrXdyqO8o1ddpegOWVMGoIPjcOg6yvtYdWdNSUJkQ468 rtkxb7dWZ9naQx3qAa6qZ3N2ZComgkaO7Id+kuYEyAzNXs618AhglmfMZRBrGHQ+ oBEHSihGTDBEzej7OqFTP4I7h5X9KwdiyxjKHkp+np0hJUEOPREVKI7ZGBnoF2X0 da2DJ/F7cGlQpqjLvnSM/s08GLJsOaGGMP+bwrGUb3aTQTpuNiV74U5grB91RGw= =jq01 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.