Your submission was sent successfully! Close

CVE-2015-20107

Published: 13 April 2022

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Notes

AuthorNote
leosilva
patch was proposed in cpython Lib/mailcap.py but not merged yet.
it sounds a better approach was PR to fix that issue, but still
not merged yet.
there are plenty of discussions going on about proper ways to fix
that issue, but none was accept yet that fix the issue and keep
the software working properly.
Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic
Released (2.7.17-1~18.04ubuntu1.8)
focal
Released (2.7.18-1~20.04.3)
impish
Released (2.7.18-8ubuntu0.2)
jammy
Released (2.7.18-13ubuntu1.1)
trusty
Released (2.7.6-8ubuntu0.6+esm11)
upstream Needed

xenial
Released (2.7.12-1ubuntu0~16.04.18+esm2)
python3.10
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Ignored
(reached end-of-life)
jammy
Released (3.10.4-3ubuntu0.1)
trusty Does not exist

upstream Needed

xenial Does not exist

python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7+esm13)
upstream Needed

xenial Does not exist

python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Needed

upstream Needed

xenial
Released (3.5.2-2ubuntu0~16.04.13+esm3)
python3.6
Launchpad, Ubuntu, Debian
bionic
Released (3.6.9-1~18.04ubuntu1.8)
focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.7
Launchpad, Ubuntu, Debian
bionic Needed

focal Does not exist

impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.8
Launchpad, Ubuntu, Debian
bionic Needed

focal
Released (3.8.10-0ubuntu1~20.04.5)
impish Does not exist

jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist

python3.9
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needed

impish
Released (3.9.7-2ubuntu0.1)
jammy Does not exist

trusty Does not exist

upstream Needed

xenial Does not exist