python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

Léo Le Bouter wrote on 24 Mar 2021 00:20

Recipients:(address . bug-guix@gnu.org)

Message-ID:52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net

CVE-2021-20270 23.03.21 18:15

An infinite loop in SMLLexer in Pygments

versions 1.5 to 2.7.3 may lead to denial of service when performing

syntax highlighting of a Standard ML (SML) source file, as demonstrated

by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I

prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to

staging once master is merged in it so that .guix-authorizations

contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master

From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001

Fixes at least CVE-2021-20270.

* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.

---

gnu/packages/python-xyz.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index cc21caa721..b50683f943 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -3619,14 +3619,14 @@ text styles of documentation.")
 (define-public python-pygments
   (package
     (name "python-pygments")
-    (version "2.7.3")
+    (version "2.8.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Pygments" version))
        (sha256
         (base32
-         "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
+         "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: Tests require sphinx, which depends on this.
-- 
2.31.0

Léo Le Bouter wrote on 24 Mar 2021 00:23

Recipients:(address . control@debbugs.gnu.org)

Message-ID:1eaa5f6976597f26f6164708aa56848fcf014145.camel@zaclys.net

tags 47351 + security

quit

Maxim Cournoyer wrote on 23 Mar 03:31 +0100

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47351-done@debbugs.gnu.org)

Message-ID:878rt11js1.fsf@gmail.com

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (8 lines)

> CVE-2021-20270 23.03.21 18:15

> An infinite loop in SMLLexer in Pygments

> versions 1.5 to 2.7.3 may lead to denial of service when performing

> syntax highlighting of a Standard ML (SML) source file, as demonstrated

> by input that only contains the "exception" keyword.

> Upstream version 2.8.1 is not affected.

Which is now the current version packaged in Guix.

Thanks for the report!

Closing.

Maxim

Closed

Your comment

This issue is archived.