PublicDateAtUSN: 2019-02-09 03:29:00 UTC
Candidate: CVE-2019-7653
PublicDate: 2019-02-09 03:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7653
 https://bugs.debian.org/921751
 https://ubuntu.com/security/notices/USN-4535-1
Description:
 The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI
 tools that can load Python modules from the current working directory,
 allowing code injection, because "python -m" looks in this directory, as
 demonstrated by rdf2dot. This issue is specific to use of the
 debian/scripts directory.
Ubuntu-Description:
Notes:
 mdeslaur> python-rdflib-tools binary package is in universe
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921751
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_rdflib:
Tags_rdflib: universe-binary
upstream_rdflib: needed
precise/esm_rdflib: DNE
trusty_rdflib: ignored (reached end-of-life)
trusty/esm_rdflib: DNE (trusty was needs-triage)
xenial_rdflib: released (4.1.2-3+deb8u1build0.16.04.1)
bionic_rdflib: needed
cosmic_rdflib: ignored (reached end-of-life)
disco_rdflib: not-affected (4.2.2-2)
eoan_rdflib: not-affected (4.2.2-2)
focal_rdflib: not-affected (4.2.2-2)
groovy_rdflib: not-affected (4.2.2-2)
hirsute_rdflib: not-affected (4.2.2-2)
impish_rdflib: not-affected (4.2.2-2)
jammy_rdflib: not-affected (4.2.2-2)
devel_rdflib: not-affected (4.2.2-2)