Hi,

The following vulnerability was published for cookiecutter.

CVE-2022-24065[0]:
| The package cookiecutter before 2.1.1 are vulnerable to Command
| Injection via hg argument injection. When calling the cookiecutter
| function from Python code with the checkout parameter, it is passed to
| the hg checkout command in a way that additional flags can be set. The
| additional flags can be used to perform a command injection.

https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281

Fixed in 2.1.1 and this isolated patch:
https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1
https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24065

Please adjust the affected versions in the BTS as needed.

Am Mon, Jun 20, 2022 at 04:59:39PM +0200 schrieb Moritz Mühlenhoff:

Could we get that fixed for bookworm?

Cheers,
        Moritz

We believe that the bug you reported is fixed in the latest version of
cookiecutter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1013279@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated cookiecutter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 28 Feb 2024 11:26:16 +0100
Source: cookiecutter
Architecture: source
Version: 2.6.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1013279 1040040
Changes:
 cookiecutter (2.6.0-1) unstable; urgency=medium
 .
   * Team Upload.
 .
   [ Alexandre Detiste ]
   * New upstream version 2.5.0 (Closes: #1040040, #1013279)
   * update watch file for new GitHub API
   * use new dh-sequence-python3
   * set Rules-Requires-Root: no
   * d/patches:
     * refresh 0001-Don-t-test-for-.DS_Store
     * remove 0002-Use-PyYAML-instead-of-poyo, merged upstream
     * redo 0003-Remove-all-privacy-breach-images-from-documentation
     * disable 0004-Fix-relative-path-that-come-from-Jinja2
   * build-dependencies:
     * remove python3-mock
     * remove python3-recommonmark
     * add python3-arrow
     * add python3-rich
     * add python3-sphinx-click
     * add python3-myst-parser
     * add python3-sphinx-autodoc-typehints
   * disable test_generate_file_does_not_translate_crlf_newlines_to_lf
   * mark python-cookiecutter-doc 'Multi-Arch: foreign'
   * bump Standards Version to 4.6.2, no further change needed
 .
   [ Emmanuel Arias ]
   * d/salsa-ci.yml: Ensable salsa-ci.
   * d/patches/0004-Fix-relative-path-that-come-from-Jinja2.patch:
      Add Bug-Debian variable to the patch to follow DEP-3.
 .
   [ Andreas Tille ]
   * Real team maintenance in DPT (with permission in
https://lists.debian.org/debian-python/2024/02/msg00072.html)
   * Reorder sequence of d/control fields by cme (routine-update)
   * Testsuite: autopkgtest-pkg-python (routine-update)
   * Remove trailing whitespace in debian/changelog (routine-update)
   * Remove field Testsuite on binary packages cookiecutter,
     python-cookiecutter-doc that duplicates source.
   * Add upstream metadata
   * Build-Depends: python3-sphinxcontrib.apidoc
Checksums-Sha1:
 38cebe6a5bc0b2e4325a4ec3c1f1a47caa3ab20c 2611 cookiecutter_2.6.0-1.dsc
 76dcd06f0d23ef7355e3ff650107ef19d2aad692 277486 cookiecutter_2.6.0.orig.tar.gz
 eeb0c38bd644520abd33bb57b0258bddcb5ec593 7156 cookiecutter_2.6.0-1.debian.tar.xz
 6f50583eeac0e5d8c1a8cc6d3aa9d32757d73adf 10616 cookiecutter_2.6.0-1_amd64.buildinfo
Checksums-Sha256:
 ec8d96ccffa4ebfe69207f5cf0c0dee525ce95082868efbeed4b9c2f1fb42903 2611 cookiecutter_2.6.0-1.dsc
 da014a94d85c1b1be14be214662982c8c90d860834cbf9ddb2391a37ad7d08be 277486 cookiecutter_2.6.0.orig.tar.gz
 6730b7770dd8914052471041cef9a062005472c66f7b679672354f9fe23663e1 7156 cookiecutter_2.6.0-1.debian.tar.xz
 74cda6c40ac0b3f11cd2edc25ccf9da81a0a55c2fe65937e815aec63fc5171cf 10616 cookiecutter_2.6.0-1_amd64.buildinfo
Files:
 7373d51753aefa75c4e3b75154a8512e 2611 python optional cookiecutter_2.6.0-1.dsc
 fe5c6c2bc42b6ba6352be7b6d258460e 277486 python optional cookiecutter_2.6.0.orig.tar.gz
 58c6c36122fb51ea185c1da992c2d9c5 7156 python optional cookiecutter_2.6.0-1.debian.tar.xz
 35343d40347a06e001b9e1c76107882f 10616 python optional cookiecutter_2.6.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmXfCvURHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEzXw/+KtSpgCbWhL9LT4erGVFK5BOVmn9wN1Ky
gFK2UE3rmhEBzNkYTUMAGuzjGaimEcvpU7g+p11B+bCcpNtWp2iupAMBz+Ls1VDZ
+yvBPvXY/gCK4JKGMyM/IEOp/LcEAAP57xC8L+NotVMEOPT3iKE6LD5iCg+kLIcI
SRVhEuMkTSNw3XRzbynHs+1WMRAmgr9uocvLBHOfCaxuzYIFQgK7uDzFmm753vIk
/F46+wki327pKjEj0BKk+hiSQqRin+DgdMMqkM9SpOppsaYJwj74VgXysKiOn+8R
09n90nHFgwNPoDkZnquMWtSMX3gsh3LEcjN0j829ZryKROgWwo4HSnk5sq3hQCTg
Q0H+YUSok7IwvIHYPrmf9ZZnqaouKzfneORQMAk5xX87HWgLCHDtsLSDK0ozmcU+
r6j1dWYYtYQGMRQlUIRRehCjn818kCdd88p9CqCO85QWThot5gHwV4+hFiSezWp2
nwIGoi8LWvh6v4DF1KmxIeddgPeJseGzxD8qlNEQYaCmWoOIKn537/enKVSgHNXY
aMYhznmvUpaYOo816lCWUTg1iWeGjWJAqnvJNxq45ocSBQfebPeJFyWeIvzUBPcV
dWvrTSGY/5mPfVFCKk1o/0RCLg7fRJ+JszEyf12Gmgad3s0DYczrnG+Cnm0Qf44c
KDxWfynqbas=
=U74X
-----END PGP SIGNATURE-----