CVE-2018-1000802

Advisory

Python 2.7.16 includes a fix for CVE-2018-1000802: Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service or Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function.
https://bugs.python.org/issue34540

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
• https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
• https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
• https://github.com/python/cpython/pull/8985
• https://bugs.python.org/issue34540
• https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
• https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
• https://www.debian.org/security/2018/dsa-4306
• https://usn.ubuntu.com/3817-1/
• https://usn.ubuntu.com/3817-2/
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
• https://security.netapp.com/advisory/ntap-20230309-0002/