CVE-2024-9287

Name	CVE-2024-9287
Description	A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3966-1, DLA-3980-1, ELA-1244-1, ELA-1262-1, ELA-1267-1
Debian Bugs	1089117

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pypy (PTS)	jessie	2.4.0+dfsg-3	fixed
	stretch	5.6.0+dfsg-4	fixed
	buster	7.0.0+dfsg-3	fixed
	bullseye	7.3.3+dfsg-2	fixed
pypy3 (PTS)	buster	7.0.0+dfsg-3	vulnerable
	bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bullseye (security)	7.3.5+dfsg-2+deb11u4	fixed
	bookworm	7.3.11+dfsg-2+deb12u2	vulnerable
	sid, trixie	7.3.17+dfsg-3	fixed
python2.7 (PTS)	jessie, jessie (lts)	2.7.9-2-ds1-1+deb8u12	fixed
	stretch (security)	2.7.13-2+deb9u6	fixed
	stretch (lts), stretch	2.7.13-2+deb9u9	fixed
	buster (security), buster, buster (lts)	2.7.16-2+deb10u4	fixed
	bullseye	2.7.18-8+deb11u1	fixed
python3.11 (PTS)	bookworm	3.11.2-6+deb12u4	vulnerable
	bookworm (security)	3.11.2-6+deb12u3	vulnerable
python3.12 (PTS)	sid, trixie	3.12.8-3	fixed
python3.13 (PTS)	sid, trixie	3.13.1-2	fixed
python3.4 (PTS)	jessie, jessie (lts)	3.4.2-1+deb8u19	fixed
python3.5 (PTS)	stretch (security)	3.5.3-1+deb9u5	vulnerable
	stretch (lts), stretch	3.5.3-1+deb9u11	fixed
python3.7 (PTS)	buster, buster (lts)	3.7.3-2+deb10u9	fixed
	buster (security)	3.7.3-2+deb10u7	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
pypy	source	(unstable)	(not affected)
pypy3	source	buster	(unfixed)	end-of-life
pypy3	source	bullseye	7.3.5+dfsg-2+deb11u4		DLA-3966-1
pypy3	source	(unstable)	7.3.17+dfsg-3			1089117
python2.7	source	(unstable)	(not affected)
python3.11	source	(unstable)	(unfixed)
python3.12	source	(unstable)	3.12.8-1
python3.13	source	(unstable)	3.13.1-1
python3.4	source	jessie	3.4.2-1+deb8u19		ELA-1267-1
python3.4	source	(unstable)	(unfixed)
python3.5	source	stretch	3.5.3-1+deb9u11		ELA-1262-1
python3.5	source	(unstable)	(unfixed)
python3.7	source	buster	3.7.3-2+deb10u9		ELA-1244-1
python3.7	source	(unstable)	(unfixed)
python3.9	source	bullseye	3.9.2-1+deb11u2		DLA-3980-1
python3.9	source	(unstable)	(unfixed)

Notes

[bookworm] - python3.11 <no-dsa> (Minor issue)
- python2.7 <not-affected> (Vulnerable code not present)
[bookworm] - pypy3 <no-dsa> (Minor issue)
https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
https://github.com/python/cpython/issues/124651
https://github.com/python/cpython/pull/124712
https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483 (v3.13.1)
https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db (v3.12.8)
https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97 (v3.11.11)
https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7 (v3.9.21)
- pypy <not-affected> (Vulnerable code not present)