CVE-2018-1000802

Priority
Description
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77:
Improper Neutralization of Special Elements used in a Command ('Command
Injection') vulnerability in shutil module (make_archive function) that can
result in Denial of service, Information gain via injection of arbitrary
files on the system or entire drive. This attack appear to be exploitable
via Passage of unfiltered user input to the function. This vulnerability
appears to have been fixed in after commit
add531a1e55b0a739b0f42582f1c9747e5649ace.
Notes
 mdeslaur> later versions of python removed _call_external_zip completely
Assigned-to
mdeslaur
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.11)
Ubuntu 14.04 LTS (Trusty Tahr):released (2.7.6-8ubuntu0.5)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.15~rc1-1ubuntu0.1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2.7.15-4ubuntu4)
Ubuntu 19.04 (Disco Dingo):not-affected (2.7.15-4ubuntu4)
Patches:
Upstream:https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code present)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code present)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):not-affected (code not present)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):not-affected (code not present)
More Information

Updated: 2018-11-15 17:14:56 UTC (commit 38bef43542b89f7c2f580d6ea1e32826421f607e)