Package: python2.7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Control: fixed -1 2.7.9-2+deb8u2
Hi,
The following vulnerability was published for python2.7.
CVE-2018-1000802[0]:
| Python Software Foundation Python (CPython) version 2.7 contains a
| CWE-77: Improper Neutralization of Special Elements used in a Command
| ('Command Injection') vulnerability in shutil module (make_archive
| function) that can result in Denial of service, Information gain via
| injection of arbitrary files on the system or entire drive. This
| attack appear to be exploitable via Passage of unfiltered user input
| to the function. This vulnerability appears to have been fixed in
| after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
Please adjust the affected versions in the BTS as needed.
==
The patches upstream are straightforward to apply and have been shipped
in Debian LTS (jessie):
https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
They are not part of a 2.7.x release just yet however but considering
the impact, I think it might be worth fixing before the upstream point
release.
A.
signature.asc
Description: PGP signature
