.. _gettext-c2py: gettext.c2py() ============== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the `Open Source Vulnerability Database `_. Arbitrary code execution in ``gettext.c2py()``. Dates: * Disclosure date: **2016-10-30** (Python issue bpo-28563 reported) Fixed In -------- * Python **2.7.13** (2016-12-17) fixed by `commit a876027 (branch 2.7) `_ (2016-11-08) * Python **3.3.7** (2017-09-19) fixed by `commit 07bcf05 (branch 3.3) `_ (2016-11-08) * Python **3.4.6** (2017-01-16) fixed by `commit 07bcf05 (branch 3.3) `_ (2016-11-08) * Python **3.5.3** (2017-01-16) fixed by `commit 07bcf05 (branch 3.3) `_ (2016-11-08) * Python **3.6.0** (2016-12-22) fixed by `commit 07bcf05 (branch 3.3) `_ (2016-11-08) Python issue ------------ Arbitrary code execution in gettext.c2py. * Python issue: `bpo-28563 `_ * Creation date: 2016-10-30 * Reporter: Carl Ekerot Timeline -------- Timeline using the disclosure date **2016-10-30** as reference: * 2016-10-30: `Python issue bpo-28563 `_ reported by Carl Ekerot * 2016-11-08 (**+9 days**): `commit 07bcf05 (branch 3.3) `_ * 2016-11-08 (**+9 days**): `commit a876027 (branch 2.7) `_ * 2016-12-17 (**+48 days**): Python 2.7.13 released * 2016-12-22: Python 3.6.0 released * 2017-01-16 (**+78 days**): Python 3.4.6 released * 2017-01-16 (**+78 days**): Python 3.5.3 released * 2017-09-19 (**+324 days**): Python 3.3.7 released Links ----- * https://www.xil.se/post/is-eval-safe-yet-rspkt/