CVE-2019-17514
Published: 12 October 2019
library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
Negligible
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Needs triage
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(2.7.18-1~20.04.1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.7.17-1~18.04ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2.7.12-1ubuntu0~16.04.12)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.7.6-8ubuntu0.6+esm6)
|
|
|
python3.4 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(3.4.3-1ubuntu1~14.04.7+esm7)
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(3.5.2-2ubuntu0~16.04.11)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needs triage
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.6.9-1~18.04ubuntu1.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.7.5-2~18.04.4)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://github.com/python/cpython/pull/6587/commits/5cffb1ed6a7f5afe74e4384d59f1670be29a7930 |
||
|
python3.8 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(3.8.2-1ubuntu1.2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(3.8.0-3~18.04.1)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Notes
| Author | Note |
|---|---|
| mdeslaur | this is a documentation change only, we will not be fixing this issue in Ubuntu 20.10. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17514
- https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L380
- https://github.com/bminor/bash/blob/ac50fbac377e32b98d2de396f016ea81e8ee9961/pathexp.c#L405
- https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216
- https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip
- https://twitter.com/chris_bloke/status/1181997278136958976
- https://twitter.com/LucasCMoore/status/1181615421922824192
- https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html
- https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html
- https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html
- https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html
- https://www.vice.com/en_us/article/zmjwda/a-code-glitch-may-have-caused-errors-in-more-than-100-published-studies
- https://ubuntu.com/security/notices/USN-4428-1
- https://ubuntu.com/security/notices/USN-4754-3
- NVD
- Launchpad
- Debian