Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

python2.7: CVE-2018-1000802

Related Vulnerabilities: CVE-2018-1000802  

Source

Debian Bug report logs - #909673
python2.7: CVE-2018-1000802

version graph

Package: python2.7; Maintainer for python2.7 is Matthias Klose <doko@debian.org>; Source for python2.7 is src:python2.7 (PTS, buildd, popcon).

Reported by: Antoine Beaupre <anarcat@orangeseeds.org>

Date: Wed, 26 Sep 2018 15:12:02 UTC

Severity: grave

Tags: fixed-upstream, security

Found in version python2.7/2.7.9-2

Fixed in versions 2.7.9-2+deb8u2, 2.7.13-2+deb9u3, python2.7/2.7.15-5

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.python.org/issue34540

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Matthias Klose <doko@debian.org>:
Bug#909673; Package python2.7. (Wed, 26 Sep 2018 15:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupre <anarcat@orangeseeds.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Matthias Klose <doko@debian.org>. (Wed, 26 Sep 2018 15:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>
To: submit@bugs.debian.org
Subject: python2.7: CVE-2018-1000802
Date: Wed, 26 Sep 2018 11:08:06 -0400
[Message part 1 (text/plain, inline)]
Package: python2.7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Control: fixed -1 2.7.9-2+deb8u2

Hi,

The following vulnerability was published for python2.7.

CVE-2018-1000802[0]:
| Python Software Foundation Python (CPython) version 2.7 contains a
| CWE-77: Improper Neutralization of Special Elements used in a Command
| ('Command Injection') vulnerability in shutil module (make_archive
| function) that can result in Denial of service, Information gain via
| injection of arbitrary files on the system or entire drive. This
| attack appear to be exploitable via Passage of unfiltered user input
| to the function. This vulnerability appears to have been fixed in
| after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000802
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802

Please adjust the affected versions in the BTS as needed.

==

The patches upstream are straightforward to apply and have been shipped
in Debian LTS (jessie):

https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace

They are not part of a 2.7.x release just yet however but considering
the impact, I think it might be worth fixing before the upstream point
release.

A.

[signature.asc (application/pgp-signature, inline)]

Marked as fixed in versions 2.7.9-2+deb8u2. Request was from Antoine Beaupre <anarcat@orangeseeds.org> to submit@bugs.debian.org. (Wed, 26 Sep 2018 15:12:04 GMT) (full text, mbox, link).

Marked as found in versions python2.7/2.7.9-2. Request was from Antoine Beaupré <anarcat@debian.org> to control@bugs.debian.org. (Wed, 26 Sep 2018 15:18:02 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://bugs.python.org/issue34540'. Request was from Antoine Beaupré <anarcat@debian.org> to control@bugs.debian.org. (Wed, 26 Sep 2018 15:27:04 GMT) (full text, mbox, link).

Marked as fixed in versions 2.7.13-2+deb9u3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2018 08:45:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 01 Oct 2018 18:39:13 GMT) (full text, mbox, link).

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Wed, 28 Nov 2018 17:54:08 GMT) (full text, mbox, link).

Notification sent to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer. (Wed, 28 Nov 2018 17:54:08 GMT) (full text, mbox, link).

Message #20 received at 909673-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>
To: 909673-close@bugs.debian.org
Subject: Bug#909673: fixed in python2.7 2.7.15-5
Date: Wed, 28 Nov 2018 17:51:01 +0000
Source: python2.7
Source-Version: 2.7.15-5

We believe that the bug you reported is fixed in the latest version of
python2.7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 909673@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 28 Nov 2018 17:27:22 +0100
Source: python2.7
Binary: python2.7 libpython2.7-stdlib python2.7-minimal libpython2.7-minimal libpython2.7 python2.7-examples python2.7-dev libpython2.7-dev libpython2.7-testsuite idle-python2.7 python2.7-doc python2.7-dbg libpython2.7-dbg
Architecture: source
Version: 2.7.15-5
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
 idle-python2.7 - IDE for Python (v2.7) using Tkinter
 libpython2.7 - Shared Python runtime library (version 2.7)
 libpython2.7-dbg - Debug Build of the Python Interpreter (version 2.7)
 libpython2.7-dev - Header files and a static library for Python (v2.7)
 libpython2.7-minimal - Minimal subset of the Python language (version 2.7)
 libpython2.7-stdlib - Interactive high-level object-oriented language (standard library
 libpython2.7-testsuite - Testsuite for the Python standard library (v2.7)
 python2.7  - Interactive high-level object-oriented language (version 2.7)
 python2.7-dbg - Debug Build of the Python Interpreter (version 2.7)
 python2.7-dev - Header files and a static library for Python (v2.7)
 python2.7-doc - Documentation for the high-level object-oriented language Python
 python2.7-examples - Examples for the Python language (v2.7)
 python2.7-minimal - Minimal subset of the Python language (version 2.7)
Closes: 909673 912422
Changes:
 python2.7 (2.7.15-5) unstable; urgency=medium
 .
   * Update to 20181127 from the 2.7 branch.
     - Fix issue #20744, running an external 'zip' in shutil.make_archive().
       CVE-2018-1000802. Closes: #909673.
   * Cherrypick in-progress backports to 2.7 branch from 3.6 branch to fix
     test_ssl assertions with openssl 1.1.1. Resolves autopkgtest failure
     of the 2.7 with openssl 1.1.1 (Dimitri John Ledkov).
   * Don't hard code location of netinet/in.h. Closes: #912422.
   * Update VCS attributes.
Checksums-Sha1:
 b921958addc378b2d0100a5332fc0f015088af24 3344 python2.7_2.7.15-5.dsc
 60fdca15eeae8c2f3adb2f0912bc1225cbb1d1c6 565412 python2.7_2.7.15-5.diff.gz
 05c2dfde1eb6c3bf6775fa5deb9840a9dc914188 9758 python2.7_2.7.15-5_source.buildinfo
Checksums-Sha256:
 1e74da7fb9677381eed583dc7110773ec1065127ab7440ee0598346d065ca78f 3344 python2.7_2.7.15-5.dsc
 87adee4eb59bff1b74806a870a55a8a09345a29c12a1499b10428152f1dff095 565412 python2.7_2.7.15-5.diff.gz
 669bd4bab31542041eda5ef04acc5e98a53c6efae90cdfa3f8f26213bc1798c7 9758 python2.7_2.7.15-5_source.buildinfo
Files:
 a3bdf4cbaa2bda2b533a0fef3d75fd0a 3344 python optional python2.7_2.7.15-5.dsc
 d75374c65660cad871f17bf144d9205e 565412 python optional python2.7_2.7.15-5.diff.gz
 b3554f166263b9ae1ce402881167ea9d 9758 python optional python2.7_2.7.15-5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAlv+zlMQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9ZWdEADM0XgrHnOgw1nNc2Jr/XtMLsPTtnn1I0Mq
TL0ewLqb28qfpdnJyDNvyrPa/7313bpjNMqXjaJpsxeIifTDZeNsYA2RryvRIGNU
GFRLLKfFWV/eGc8o6FzFa6T5ErWphJzKueVc/l26RJwY/dzDu+84XMjG0IWNFU+p
3NYUHnLAhvHqiNLZrh4E53HL1ROQKEHWUDop4HxI5E9cKxl51rFs9gevd+zijv8A
m+scgOqRhCz/ENb++Y/Qs5X+EQUL2QXkrVa7S0HXB7cIRMtuPSkZ9SdIOmSPs/FH
3SrY0nsUwtdnQ3RNv+tMZ7Bf7eX44UEQ4jy31UxbJMRIm80DJ6Jm/0DMw1S/3na0
Oa55r0ic+cUNithYT6I7sO2SDpvwWFZStdI93elpOC+UeThAyXfH5lHwFdgJHTpt
OCOk5QuvfJk0N6eKMsy0OwjTFyixr2kUgho9J9snGgkVxBQSqwAVqu0jMgKVCK/z
YMQe5BWSklBFHzW7Zxe9EzvpYhbbYzHPZKGTznbIIZDVm8JRvzq32eLQHR13tKql
hOXyKHVZ9FUd0ZsXgWGT7UE6wdO7j4M5K+h6NW5HxNbiGqvlIjFKY12m3cx2xMDw
Xi5ad+pVjM7P/zSveYkh5jCjMe0Gsyobmcu64fwUjqKQ3fzZ46ZoTc3gHJN+X3qB
lJzG3lPjZQ==
=L++n
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Dec 2018 07:30:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:04:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started