CVE-2018-1000802

Priority
Description
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77:
Improper Neutralization of Special Elements used in a Command ('Command
Injection') vulnerability in shutil module (make_archive function) that can
result in Denial of service, Information gain via injection of arbitrary
files on the system or entire drive. This attack appear to be exploitable
via Passage of unfiltered user input to the function. This vulnerability
appears to have been fixed in after commit
add531a1e55b0a739b0f42582f1c9747e5649ace.
Assigned-to
mdeslaur
Notes
mdeslaurlater versions of python removed _call_external_zip completely
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.11)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.7.6-8ubuntu0.5)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.15~rc1-1ubuntu0.1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.7.15-4ubuntu4)
Patches:
Upstream:https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [code present])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code present)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):not-affected (code not present)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):not-affected (code not present)
More Information

Updated: 2019-12-05 18:50:06 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)