python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 24 Mar 2021 00:20
(address . bug-guix@gnu.org)
52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net
CVE-2021-20270 23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master
From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Wed, 24 Mar 2021 00:01:52 +0100
Subject: [PATCH] gnu: python-pygments: Update to 2.8.1 [security fixes].

Fixes at least CVE-2021-20270.

* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.
---
gnu/packages/python-xyz.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index cc21caa721..b50683f943 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -3619,14 +3619,14 @@ text styles of documentation.")
(define-public python-pygments
(package
(name "python-pygments")
- (version "2.7.3")
+ (version "2.8.1")
(source
(origin
(method url-fetch)
(uri (pypi-uri "Pygments" version))
(sha256
(base32
- "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
+ "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6"))))
(build-system python-build-system)
(arguments
;; FIXME: Tests require sphinx, which depends on this.
--
2.31.0
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBad64ACgkQRaix6GvN
EKaVKw//SzqEHU4gikv/0O6/sODqx37D6pi/kbQEJKd/7mLbHG1M8VHB9lQNnz9l
VKkpeop0q5jWtG1VDdi9bBfT89/kvNmjtgcPk+EMpLVGppLekzY+l0uAX43wgonf
pZecjt3Bwx2NVmqwjY9/cxnutV7INKVtbVVPUuUhfNN7i9RLMECDtn/G+ECRsWzT
zCbVzhvxmbnGNefbJ0RrVUUuLNq+IyXAP2vhHhDJa5169UUJ1P/Dy/ILe0JV+WEs
zlewYuxlKEjwNQIUCIRHZaROIXzGChTfayV0sO+b90ub6J44k4w257u7TINaEdXg
YNoiUoD6IJ5oPY5CI14EzJQxSUBKFIS+Bf4/A8PHW0N/siHMG0Z9xcwZjvIvgPtz
5QF0VrOH3q3xNU3VCL8lRsNXqsTCqXRPctaluPDWv3g2RYQUlPftr8YvMhZd4XoS
TkRL/jCa60mTC38y8PjqLskw8buhjaff44PCZ2VGplprsT/vYm8Hy0C/C1D4ISBo
mseOa6U8HRHfoBVEmd40uTkfMDuw2I1x5JKc130AfHqb3BAvsXyT/KDDtDQrw6u8
mc+eqmeesZFfoo+Fkah/08WRhYpOVWfP9zwr9c7bB/2KwzlOvM0CV8KfjvID1liN
sWCLnNMLIEMgAklpKx56jhAQx2SxkO6OEqxy2uVof0sKxARqEts=
=10Ve
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 24 Mar 2021 00:23
(address . control@debbugs.gnu.org)
1eaa5f6976597f26f6164708aa56848fcf014145.camel@zaclys.net
tags 47351 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaeI8ACgkQRaix6GvN
EKapIw//ffuWgSqh84TbrB7K7JIgm3IyXG5lUjzw1gx7mIjkmGW8YReiubw/luOU
r0WIU56a8PIbYp7U1f708r3QmYnFw9knMGZieXg9lbQrqB+x9pYLjusaKNImH93E
KUi3oOAA/ECV+59BHJfXCRzkwpxDq4U65D1QYUUCSg572l2VvwOgb2aZJzVdeqLs
d3CS3aNtbXgM6uZnGRmbzdiw8esj8qJFIwohDFp2okQ/q/NCod6hFmnKkI5ahaXA
ja58TPOjCdtn3xS318aOekS+7u0CYR6Gt2VEGDBAkzNCCyRpbfUtDzrP5JAefjqD
z1t7vD4ciTTSO7YAC25YYGA/pQwL0QuoyAvLR0GRLhY3KWBdhLvLHQuJ1IT/4u+9
xH7II1pqApF0RcLWQD9QCYKhfAs9VBAWcAm7O57qpYeOSM+hjTgtZCr/af+j+9+i
k815/W6nJsKF0ZBtlGXnBdl1gy8jyWrLP31zahzXhyMZw2NS9kEY+3mj0WyWeQNp
9jb8fD2t4eGWM5bjyNDfBi47nF+cgxwhQ3beUHCe4N0enWpqaXmgHkQxafy82P4R
OpQMiE8IV5Ym0HXHygbABCNuRqZyWEUnTXkvdT9Ssz7lOdZk3srdLBRjAS3ASMfh
v5fF1e5js273a73+LPAIH5aXxM2PgBDKFw5Pc2rQxQSIZ4N6vZI=
=fTcJ
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 23 Mar 2022 03:31
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47351-done@debbugs.gnu.org)
878rt11js1.fsf@gmail.com
Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (8 lines)
> CVE-2021-20270 23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.

Which is now the current version packaged in Guix.

Thanks for the report!

Closing.

Maxim
Closed
?