Am Mon, Jun 20, 2022 at 04:59:39PM +0200 schrieb Moritz Mühlenhoff:
> Source: cookiecutter
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for cookiecutter.
>
> CVE-2022-24065[0]:
> | The package cookiecutter before 2.1.1 are vulnerable to Command
> | Injection via hg argument injection. When calling the cookiecutter
> | function from Python code with the checkout parameter, it is passed to
> | the hg checkout command in a way that additional flags can be set. The
> | additional flags can be used to perform a command injection.
>
> https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
>
> Fixed in 2.1.1 and this isolated patch:
> https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
> https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77
Could we get that fixed for bookworm?
Cheers,
Moritz
