{
  "modified": "2025-08-09T19:01:26Z",
  "published": "2014-10-25T21:55:03Z",
  "id": "CVE-2014-1927",
  "details": "The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using \"$(\" command-substitution sequences, a different vulnerability than CVE-2014-1928.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/56616"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/59031"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2014/dsa-2946"
    },
    {
      "type": "EVIDENCE",
      "url": "http://seclists.org/oss-sec/2014/q1/245"
    },
    {
      "type": "EVIDENCE",
      "url": "http://seclists.org/oss-sec/2014/q1/294"
    },
    {
      "type": "EVIDENCE",
      "url": "https://code.google.com/p/python-gnupg/issues/detail?id=98"
    },
    {
      "type": "WEB",
      "url": "https://code.google.com/p/python-gnupg/"
    }
  ]
}