Bug 1109663 – VUL-0: CVE-2018-1000802: python,python3,python27: Command injection in the shutil module

Bug 1109663 - (CVE-2018-1000802) VUL-0: CVE-2018-1000802: python,python3,python27: Command injection in the shutil module

(CVE-2018-1000802)
Summary:	VUL-0: CVE-2018-1000802: python,python3,python27: Command injection in the sh...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/215032/
Whiteboard:	CVSSv3:SUSE:CVE-2018-1000802:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-09-25 13:36 UTC by Karol Babioch
Modified:	2022-06-10 08:40 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-09-25 13:36:12 UTC

rh#1631420

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77:
Improper Neutralization of Special Elements used in a Command ('Command
Injection') vulnerability in shutil module (make_archive function) that can
result in Denial of service, Information gain via injection of arbitrary files
on the system or entire drive. This attack appear to be exploitable via Passage
of unfiltered user input to the function. This vulnerability appears to have
been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1631420
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000802
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000802.html
https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
https://bugs.python.org/issue34540
https://github.com/python/cpython/pull/8985

Comment 1 Karol Babioch 2018-09-25 13:49:59 UTC

According to my analysis the following packages are affected:

SUSE:SLE-11-SP1:Update:Teradata/python27
SUSE:SLE-12-SP1:Update/python
SUSE:SLE-15:Update/python

Not affected:

SUSE:SLE-10-SP3:Update/python
SUSE:SLE-11-SP1:Update/python
SUSE:SLE-12:Update/python3
SUSE:SLE-15:Update/python3

Issue was introduced with upstream commit 48cc8dc958165053af6d52426743db365786c7bb, which first appeared in the 2.7.x branch and does not affect Python 3.

Comment 4 Michael Ströder 2018-09-27 11:22:34 UTC

I'm currently adding the patch for this (see https://github.com/python/cpython/pull/8985)

Comment 5 Michael Ströder 2018-09-27 12:14:33 UTC

Added patch for Python 2.7 in openSUSE Factory:
https://build.opensuse.org/request/show/638747

TODO: Older openSUSE versions also need the patch.

I'm resetting ticket state to "NEW" because I don't know the ticket workflow in this product.

Comment 6 Tomáš Chvátal 2018-09-27 12:16:53 UTC

(In reply to Michael Ströder from comment #5)
> Added patch for Python 2.7 in openSUSE Factory:
> https://build.opensuse.org/request/show/638747
> 
> TODO: Older openSUSE versions also need the patch.
> 
> I'm resetting ticket state to "NEW" because I don't know the ticket workflow
> in this product.

Could you maybe NOT take over packages suddenly if the tool has a maintainer? We are already processing the updates as needed for the other codestreams, TW was just last on the list...

Comment 7 Swamp Workflow Management 2018-09-27 14:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/638809 Factory / python

Comment 9 Swamp Workflow Management 2018-10-04 16:08:32 UTC

SUSE-SU-2018:3002-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1109663
CVE References: CVE-2018-1000802
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.14-7.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.14-7.3.1, python-base-2.7.14-7.3.1

Comment 10 Swamp Workflow Management 2018-10-06 16:09:37 UTC

openSUSE-SU-2018:3052-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1109663
CVE References: CVE-2018-1000802
Sources used:
openSUSE Leap 15.0 (src):    python-2.7.14-lp150.6.3.2, python-base-2.7.14-lp150.6.3.1, python-doc-2.7.14-lp150.6.3.1

Comment 11 Swamp Workflow Management 2018-10-29 20:14:30 UTC

SUSE-SU-2018:3554-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE Enterprise Storage 5 (src):    python-2.7.13-28.16.1
SUSE CaaS Platform ALL (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
SUSE CaaS Platform 3.0 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1
OpenStack Cloud Magnum Orchestration 7 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1

Comment 12 Swamp Workflow Management 2018-11-09 23:21:11 UTC

openSUSE-SU-2018:3703-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
openSUSE Leap 42.3 (src):    python-2.7.13-27.9.1, python-base-2.7.13-27.9.1, python-doc-2.7.13-27.9.1

Comment 13 Swamp Workflow Management 2018-12-10 17:26:35 UTC

SUSE-SU-2018:3554-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1086001,1088004,1088009,1109663
CVE References: CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python-base-2.7.13-28.16.1
SUSE Linux Enterprise Server 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1, python-doc-2.7.13-28.16.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python-2.7.13-28.16.1, python-base-2.7.13-28.16.1

Comment 16 Swamp Workflow Management 2019-08-06 16:17:08 UTC

SUSE-SU-2019:2053-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1109663,1109847,1138459
CVE References: CVE-2018-1000802,CVE-2018-14647,CVE-2019-10160
Sources used:
SUSE OpenStack Cloud 8 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE OpenStack Cloud 7 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP5 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP4 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Enterprise Storage 5 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Enterprise Storage 4 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Swamp Workflow Management 2019-08-17 01:11:58 UTC

SUSE-SU-2019:2053-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1109663,1109847,1138459
CVE References: CVE-2018-1000802,CVE-2018-14647,CVE-2019-10160
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
SUSE Enterprise Storage 5 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1
HPE Helion Openstack 8 (src):    python3-3.4.6-25.29.1, python3-base-3.4.6-25.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2020-01-16 14:14:06 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2020-01-21 20:16:39 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 26 Swamp Workflow Management 2020-02-03 17:13:13 UTC

SUSE-SU-2020:0302-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1081750,1083507,1086001,1088009,1094814,1109663,1137942,1138459,1141853,1149121,1149429,1149792,1149955,1151490,1159035,1159622,709442,951166,983582
CVE References: CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    python36-3.6.10-4.3.5, python36-base-3.6.10-4.3.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Alexandros Toptsoglou 2020-04-29 13:37:23 UTC

Done

Comment 34 OBSbugzilla Bot 2020-11-27 16:41:39 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 36 OBSbugzilla Bot 2020-12-01 18:21:33 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 38 OBSbugzilla Bot 2020-12-05 17:31:33 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 39 OBSbugzilla Bot 2020-12-05 19:11:38 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 42 OBSbugzilla Bot 2020-12-17 18:11:38 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 43 OBSbugzilla Bot 2021-10-06 14:41:46 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 44 OBSbugzilla Bot 2021-10-22 08:41:47 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 45 OBSbugzilla Bot 2022-02-06 22:30:30 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 46 OBSbugzilla Bot 2022-02-09 19:10:34 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python

Comment 47 OBSbugzilla Bot 2022-06-10 08:40:30 UTC

This is an autogenerated message for OBS integration:
This bug (1109663) was mentioned in
https://build.opensuse.org/request/show/981989 Factory / python