| Name | CVE-2018-1000802 |
| Description | Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1519-1, DLA-1520-1, DSA-4306-1, ELA-47-1, ELA-48-1 |
| Debian Bugs | 909673 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python2.7 (PTS) | jessie, jessie (lts) | 2.7.9-2-ds1-1+deb8u12 | fixed |
| stretch (security) | 2.7.13-2+deb9u6 | fixed | |
| stretch (lts), stretch | 2.7.13-2+deb9u9 | fixed | |
| buster (security), buster, buster (lts) | 2.7.16-2+deb10u4 | fixed | |
| bullseye | 2.7.18-8+deb11u1 | fixed | |
| python3.4 (PTS) | jessie, jessie (lts) | 3.4.2-1+deb8u19 | fixed |
| python3.5 (PTS) | stretch (security) | 3.5.3-1+deb9u5 | fixed |
| stretch (lts), stretch | 3.5.3-1+deb9u11 | fixed | |
| python3.7 (PTS) | buster, buster (lts) | 3.7.3-2+deb10u9 | fixed |
| buster (security) | 3.7.3-2+deb10u7 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python2.6 | source | wheezy | 2.6.8-1.1+deb7u2 | ELA-48-1 | ||
| python2.7 | source | wheezy | 2.7.3-6+deb7u5 | ELA-47-1 | ||
| python2.7 | source | jessie | 2.7.9-2+deb8u2 | DLA-1519-1 | ||
| python2.7 | source | stretch | 2.7.13-2+deb9u3 | DSA-4306-1 | ||
| python2.7 | source | (unstable) | 2.7.15-5 | 909673 | ||
| python3.4 | source | jessie | 3.4.2-1+deb8u1 | DLA-1520-1 | ||
| python3.4 | source | (unstable) | (unfixed) | |||
| python3.5 | source | (unstable) | (not affected) | |||
| python3.6 | source | (unstable) | (not affected) | |||
| python3.7 | source | (unstable) | (not affected) |
- python3.7 <not-affected> (Fixed before initial upload)
- python3.6 <not-affected> (Fixed before initial upload)
- python3.5 <not-affected> (Fixed before initial upload)
https://bugs.python.org/issue34540
https://github.com/python/cpython/commit/d8b103b8b3ef9644805341216963a64098642435
Later versions did remove _call_external_zip with
https://github.com/python/cpython/commit/a0934b2c1b939fdebee8dc18d49a0f6c52324773
which used distutils.spawn.
PoC: https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig