classification
Title: [Security] CVE-2017-17522: webbrowser.py in Python does not validate strings
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: cstratak, martin.panter, ned.deily, vstinner
Priority: high Keywords:

Created on 2017-12-18 16:29 by vstinner, last changed 2018-08-17 23:45 by enedil. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 8802 open enedil, 2018-08-17 23:45
Messages (4)
msg308572 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-12-18 16:29
https://security-tracker.debian.org/tracker/CVE-2017-17522

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
msg308574 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-12-18 16:31
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17522
Ubuntu: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17522.html
SUSE: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2017-17522
msg313556 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-03-10 20:48
Update: https://security-tracker.debian.org/tracker/CVE-2017-17522

"** DISPUTED [...] NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting."
msg313804 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2018-03-14 05:39
And Red Hat has already closed their version of this as NOTABUG:
 
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-17522

It seems nearly everyone is agreement that this is not a security issue.
History
Date User Action Args
2018-08-17 23:45:09enedilsetpull_requests: + pull_request8277
2018-03-14 05:39:44ned.deilysetstatus: open -> closed
resolution: not a bug
messages: + msg313804

stage: resolved
2018-03-10 20:48:11ned.deilysetnosy: + ned.deily
messages: + msg313556
2017-12-19 11:45:41pitrousetpriority: normal -> high
2017-12-19 10:31:40vstinnersetnosy: + martin.panter
2017-12-18 16:57:52cstrataksetnosy: + cstratak
2017-12-18 16:31:33vstinnersetmessages: + msg308574
2017-12-18 16:29:29vstinnersettitle: CVE-2017-17522: webbrowser.py in Python does not validate strings -> [Security] CVE-2017-17522: webbrowser.py in Python does not validate strings
2017-12-18 16:29:03vstinnercreate