CVE-2015-20107
Published: 13 April 2022
In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9
Notes
| Author | Note |
|---|---|
| leosilva | patch was proposed in cpython Lib/mailcap.py but not merged yet. it sounds a better approach was PR to fix that issue, but still not merged yet. there are plenty of discussions going on about proper ways to fix that issue, but none was accept yet that fix the issue and keep the software working properly. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.7.17-1~18.04ubuntu1.8)
|
| focal |
Released
(2.7.18-1~20.04.3)
|
|
| impish |
Released
(2.7.18-8ubuntu0.2)
|
|
| jammy |
Released
(2.7.18-13ubuntu1.1)
|
|
| kinetic |
Released
(2.7.18-13ubuntu2)
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Released
(2.7.6-8ubuntu0.6+esm11)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needed
|
|
| xenial |
Released
(2.7.12-1ubuntu0~16.04.18+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Released
(3.10.4-3ubuntu0.1)
|
|
| kinetic |
Not vulnerable
(3.10.6-1)
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Released
(3.4.3-1ubuntu1~14.04.7+esm13)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Needed
|
|
| upstream |
Needed
|
|
| xenial |
Released
(3.5.2-2ubuntu0~16.04.13+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.9-1~18.04ubuntu1.8)
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(3.8.10-0ubuntu1~20.04.5)
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(3.9.5-3ubuntu0~20.04.1+esm1)
Available with Ubuntu Pro |
|
| impish |
Released
(3.9.7-2ubuntu0.1)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.6 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | High |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
References
- https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/
- https://github.com/python/cpython/pull/91542/commits/340251550897cb98ae83ad1040750d6300112e80
- https://github.com/python/cpython/pull/91993
- https://ubuntu.com/security/notices/USN-5519-1
- https://ubuntu.com/security/notices/USN-5888-1
- https://www.cve.org/CVERecord?id=CVE-2015-20107
- NVD
- Launchpad
- Debian