CVE-2018-1000802
Published: 18 September 2018
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
python2.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.7.15~rc1-1ubuntu0.1)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(2.7.12-1ubuntu0~16.04.4)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.7.6-8ubuntu0.5)
|
|
Patches: Upstream: https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435 |
||
python3.4 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(3.4.3-1ubuntu1~14.04.7)
|
|
python3.5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(code present)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(code present)
|
|
python3.6 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(code not present)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
python3.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(code not present)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
Author | Note |
---|---|
mdeslaur | later versions of python removed _call_external_zip completely |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
- https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
- https://usn.ubuntu.com/usn/usn-3817-1
- https://usn.ubuntu.com/usn/usn-3817-2
- NVD
- Launchpad
- Debian