Source: lookatme Version: 1.2.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for lookatme. CVE-2020-15271[0]: | In lookatme (python/pypi package) versions prior to 2.3.0, the package | automatically loaded the built-in "terminal" and "file_loader" | extensions. Users that use lookatme to render untrusted markdown may | have malicious shell commands automatically run on their system. This | is fixed in version 2.3.0. As a workaround, the | `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` | files may be manually deleted. Additionally, it is always recommended | to be aware of what is being rendered with lookatme. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15271 [1] https://github.com/d0c-s4vage/lookatme/security/advisories/GHSA-c84h-w6cr-5v8q [2] https://github.com/d0c-s4vage/lookatme/commit/72fe36b784b234548d49dae60b840c37f0eb8d84 [3] https://github.com/d0c-s4vage/lookatme/pull/110 Regards, Salvatore
