Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20151214213745.7C3376C0176@smtpvmsrv1.mitre.org>
Date: Mon, 14 Dec 2015 16:37:45 -0500 (EST)
From: cve-assign@...re.org
To: scorneli@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Shell Injection in Pygments FontManager._get_nix_font_path

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://seclists.org/fulldisclosure/2015/Oct/4
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321

Use CVE-2015-8557.


> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c2
> python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1276321#c5
> The old patch caused problems. Here's a better upstream patch

As far as we can tell, the old patch used shlex.quote whereas the new
patch has a different solution involving subprocess.Popen. If
python-pygments-2.0.2-3.fc23 had a vulnerability because shlex.quote
didn't adequately protect against command injection, then there should
be a second CVE ID for that vulnerability. Otherwise, we'll interpret
"old patch caused problems" to mean usability problems.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBCAAGBQJWbzOhAAoJEL54rhJi8gl5AH4P93kGsVRmy5xreW4IaM1cI09g
3WYA0b2JIDcrJXsNPT1KE4MFON5BKResTBbv+PKde0WRqHKgDUf4q5WexcaPFCjs
WgMo0mIj1Ab0P6j1xGeu6WNzmAMFdE1e0+9rupmDd0V1Aq1PnvYTVIxmKugvaV00
hK5tnY0jkYIyO7GfGTY3PGBmE8juFVA60aEsAozRGlETYHS3XqE3bMBzvHlarZ8o
7ZRWV8VEoh+j3mxTV6ib7WLTZhT4Rzf+phwQSaEDrnGAJYy7RLh1VHZzsgdBdCyZ
cBYBcV0hPfXg3sC81zxYUPTB8L3Z701nnAJ0kV3tzUQiHjFEgI4P8kNVslOy+jrX
IuXFMlh4Vba1mmkMfGjf633MP0HVhqmIyBgngyV50dL8Kc4lSAnKB1Ict8ruwDI+
bz9F/MEez5y1HTC1wniR3IwbxuMaobCjYfF7NhJe0gXcC7V+DpwMOUFTwIvIFeFc
lrt4MyRCvh9DUzp70Kz++WGIEs59h4P9MpX/AzL2J/85UPJOPLvRVm+GSh1zIL13
YNJRCpN0Q/SdBa5US2pPDccVcHpxKFXqu/ETS518yJDKpElXqKkmvXgy6P0yege9
slhUQg1Ol6k4axkeo/BlO6z1CqHuT4EM1mzPM4ujINZXX2bKBRMxaZVyL1xVnL89
XVfC0et5dVwCnahrD48=
=sPew
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.