CVE-2017-17522

Name	CVE-2017-17522
Description	Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jython (PTS)	buster	2.7.1+repack1-4~deb10u1	vulnerable
	bullseye	2.7.2+repack1-3	vulnerable
	sid, trixie, bookworm	2.7.3+repack1-1	vulnerable
python2.7 (PTS)	buster	2.7.16-2+deb10u1	vulnerable
	buster (security)	2.7.16-2+deb10u4	vulnerable
	bullseye	2.7.18-8+deb11u1	vulnerable
python3.7 (PTS)	buster	3.7.3-2+deb10u3	vulnerable
	buster (security)	3.7.3-2+deb10u7	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency
jython	source	wheezy	(not affected)
jython	source	(unstable)	(unfixed)	unimportant
python2.6	source	(unstable)	(unfixed)	unimportant
python2.7	source	(unstable)	(unfixed)	unimportant
python3.2	source	(unstable)	(unfixed)	unimportant
python3.4	source	(unstable)	(unfixed)	unimportant
python3.5	source	(unstable)	(unfixed)	unimportant
python3.6	source	(unstable)	(unfixed)	unimportant
python3.7	source	(unstable)	(unfixed)	unimportant

Notes

[wheezy] - jython <not-affected> (Vulnerable code is not provided in the binary package)
Lib/webbrowser.py does not validate strings before launching the program
specified by the BROWSER environment variable.
https://bugs.python.org/issue32367
Hardly an issue with security impact, as the problematic code further relies
on subprocess.Popen with the default shell=False.