CVE-2015-20107 has been assigned for an issue previously reported
against the mailcap module.
The mailcap module reads registered commands on Linux systems to
determine how to launch certain file types. The Python module does not
add additional escape characters to these commands, which may allow an
attacker to provide file paths or parameters that include additional
shell commands. These may be executed during mailcap.find_match()
depending on the system's configuration.
All users of the mailcap module in any version of CPython may be
impacted. No patch is currently available, and the module is likely to
be deprecated due to lack of an active maintainer. Please visit the
issue tracker at the link below to join the discussion if you are able
to assist.
To mitigate, applications that use this module should verify user input
before passing it to the mailcap module, and the returned command before
executing it.
Issue: https://github.com/python/cpython/issues/68966
Discussions to security-sig(a)python.org.
Cheers,
Steve Dower
Python Security Response Team