CVE-2019-17514

Published: 12 October 2019

library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
python2.7 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Needs triage
	Ubuntu 20.10 (Groovy Gorilla)	Needs triage
	Ubuntu 20.04 LTS (Focal Fossa)	Needs triage
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2.7.17-1~18.04ubuntu1.1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (2.7.12-1ubuntu0~16.04.12)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.7.6-8ubuntu0.6+esm6)
python3.4 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (3.4.3-1ubuntu1~14.04.7+esm7)
python3.5 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (3.5.2-2ubuntu0~16.04.11)
	Ubuntu 14.04 ESM (Trusty Tahr)	Needs triage
python3.6 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Released (3.6.9-1~18.04ubuntu1.1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
python3.7 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Needs triage
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://github.com/python/cpython/pull/6587/commits/5cffb1ed6a7f5afe74e4384d59f1670be29a7930
python3.8 Launchpad, Ubuntu, Debian	Upstream	Needs triage
	Ubuntu 21.04 (Hirsute Hippo)	Does not exist
	Ubuntu 20.10 (Groovy Gorilla)	Needs triage
	Ubuntu 20.04 LTS (Focal Fossa)	Released (3.8.2-1ubuntu1.2)
	Ubuntu 18.04 LTS (Bionic Beaver)	Needs triage
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist

References

Bugs

https://bugs.python.org/issue33275

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM