Your submission was sent successfully! Close

CVE-2015-20107

Published: 13 April 2022

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-04-14)
focal Deferred
(2022-04-14)
impish Deferred
(2022-04-14)
jammy Deferred
(2022-04-14)
trusty Deferred
(2022-04-14)
upstream Needed

xenial Deferred
(2022-04-14)
python3.10
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Deferred
(2022-04-14)
jammy Deferred
(2022-04-14)
trusty Does not exist

upstream Needed

xenial Does not exist

python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Deferred
(2022-04-14)
upstream Needed

xenial Does not exist

python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Deferred
(2022-04-14)
upstream Needed

xenial Deferred
(2022-04-14)
python3.6
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-04-14)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.7
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-04-14)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.8
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-04-14)
focal Deferred
(2022-04-14)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.9
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Deferred
(2022-04-14)
impish Deferred
(2022-04-14)
jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

Notes

AuthorNote
leosilva
patch was proposed in cpython Lib/mailcap.py but not merged yet.
it sounds a better approach was PR to fix that issue, but still
not merged yet.
there are plenty of discussions going on about proper ways to fix
that issue, but none was accept yet that fix the issue and keep
the software working properly.

References

Bugs