CVE-2019-17514

Summary

CVE	CVE-2019-17514
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-10-12 13:15:00 UTC
Updated	2020-07-27 18:15:00 UTC
Description	library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.

Risk And Classification

Problem Types: NVD-CWE-noinfo | CWE-682

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Python	Python	3.6.0	-	All	All
Application	Python	Python	3.7.0	-	All	All
Application	Python	Python	3.8.0	-	All	All
Application	Python	Python	3.6.0	-	All	All
Application	Python	Python	3.7.0	-	All	All
Application	Python	Python	3.8.0	-	All	All

References

Reference	Source	Link	Tags
A Code Glitch May Have Caused Errors In More Than 100 Published Studies - VICE	MISC	www.vice.com	Press/Media Coverage, Third Party Advisory
bash/pathexp.c at ac50fbac377e32b98d2de396f016ea81e8ee9961 · bminor/bash · GitHub	MISC	github.com	Exploit, Third Party Advisory
10.7. glob — Unix style pathname pattern expansion — Python 2.7.11 documentation	MISC	web.archive.org	Vendor Advisory
USN-4428-1: Python vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
Issue 33275: glob.glob should explicitly note that results aren't sorted - Python tracker	MISC	bugs.python.org	Issue Tracking, Vendor Advisory
Lucas Moore on Twitter: "Holy crap. Huge bug uncovered in computational chemistry software because different operating systems sort files differently and the published scripts don’t handle it well. If you do or rely on calculated NMR chemical shifts, this is a must-read. https://t.co/p0PNpMIGgf"	MISC	twitter.com	Issue Tracking, Third Party Advisory
10.7. glob — Unix style pathname pattern expansion — Python 2.7.10 documentation	MISC	web.archive.org	Vendor Advisory
bash/pathexp.c at ac50fbac377e32b98d2de396f016ea81e8ee9961 · bminor/bash · GitHub	MISC	github.com	Exploit, Third Party Advisory
Chris Samuel on Twitter: "I do wonder if they also need to set the environment variable "LC_ALL=C" to be sure that Python's own ordering will always be consistent too. https://t.co/NLdcPPtRnw… https://t.co/rRXX5IgfhS"	MISC	twitter.com	Third Party Advisory
11.7. glob — Unix style pathname pattern expansion — Python 3.4.3 documentation	MISC	web.archive.org	Vendor Advisory
CVE-2019-17514 Python Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
11.7. glob — Unix style pathname pattern expansion — Python 3.5.1 documentation	MISC	web.archive.org	Vendor Advisory
OOPS	MISC	pubs.acs.org	Third Party Advisory
pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si...	MISC	pubs.acs.org	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

198293 Ubuntu Security Notification for Python2.7, Python3.7, Python3.8 Vulnerabilities (USN-4754-3)
671062 EulerOS Security Update for python (EulerOS-SA-2019-2442)