CVE-2015-20107

Advisory

Python 3.7.16, 3.8.16, 3.9.16, 3.10.6 and 3.11.0b4 include a fix for CVE-2015-20107: The mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html

Affected package

Affected versions

Fixed versions

Vulnerability changelog

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). See CVE-2015-20107.


MISC:https://bugs.python.org/issue24778: https://bugs.python.org/issue24778
MISC:https://github.com/python/cpython/issues/68966: https://github.com/python/cpython/issues/68966

Resources

• https://bugs.python.org/issue24778
• https://github.com/python/cpython/issues/68966
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-20107
• https://security.netapp.com/advisory/ntap-20220616-0001/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/
• https://python-security.readthedocs.io/vuln/mailcap-shell-injection.html
• https://security.gentoo.org/glsa/202305-02
• https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html