python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

OpenSubmitted by Léo Le Bouter.
Details
One participant
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 24 Mar 00:20 +0100
(address . bug-guix@gnu.org)
52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net
CVE-2021-20270 23.03.21 18:15An infinite loop in SMLLexer in Pygmentsversions 1.5 to 2.7.3 may lead to denial of service when performingsyntax highlighting of a Standard ML (SML) source file, as demonstratedby input that only contains the "exception" keyword.
Upstream version 2.8.1 is not affected.
Because this package would cause 456 dependents to be rebuilt, Iprepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon tostaging once master is merged in it so that .guix-authorizationscontains my key. I also attached the patch (trivial).
Opening this bug to track when this lands into master
From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>Date: Wed, 24 Mar 2021 00:01:52 +0100Subject: [PATCH] gnu: python-pygments: Update to 2.8.1 [security fixes].
Fixes at least CVE-2021-20270.
* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.--- gnu/packages/python-xyz.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Toggle diff (23 lines)diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scmindex cc21caa721..b50683f943 100644--- a/gnu/packages/python-xyz.scm+++ b/gnu/packages/python-xyz.scm@@ -3619,14 +3619,14 @@ text styles of documentation.") (define-public python-pygments (package (name "python-pygments")- (version "2.7.3")+ (version "2.8.1") (source (origin (method url-fetch) (uri (pypi-uri "Pygments" version)) (sha256 (base32- "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))+ "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6")))) (build-system python-build-system) (arguments ;; FIXME: Tests require sphinx, which depends on this.-- 2.31.0
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBad64ACgkQRaix6GvNEKaVKw//SzqEHU4gikv/0O6/sODqx37D6pi/kbQEJKd/7mLbHG1M8VHB9lQNnz9lVKkpeop0q5jWtG1VDdi9bBfT89/kvNmjtgcPk+EMpLVGppLekzY+l0uAX43wgonfpZecjt3Bwx2NVmqwjY9/cxnutV7INKVtbVVPUuUhfNN7i9RLMECDtn/G+ECRsWzTzCbVzhvxmbnGNefbJ0RrVUUuLNq+IyXAP2vhHhDJa5169UUJ1P/Dy/ILe0JV+WEszlewYuxlKEjwNQIUCIRHZaROIXzGChTfayV0sO+b90ub6J44k4w257u7TINaEdXgYNoiUoD6IJ5oPY5CI14EzJQxSUBKFIS+Bf4/A8PHW0N/siHMG0Z9xcwZjvIvgPtz5QF0VrOH3q3xNU3VCL8lRsNXqsTCqXRPctaluPDWv3g2RYQUlPftr8YvMhZd4XoSTkRL/jCa60mTC38y8PjqLskw8buhjaff44PCZ2VGplprsT/vYm8Hy0C/C1D4ISBomseOa6U8HRHfoBVEmd40uTkfMDuw2I1x5JKc130AfHqb3BAvsXyT/KDDtDQrw6u8mc+eqmeesZFfoo+Fkah/08WRhYpOVWfP9zwr9c7bB/2KwzlOvM0CV8KfjvID1liNsWCLnNMLIEMgAklpKx56jhAQx2SxkO6OEqxy2uVof0sKxARqEts==10Ve-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 24 Mar 00:23 +0100
(address . control@debbugs.gnu.org)
1eaa5f6976597f26f6164708aa56848fcf014145.camel@zaclys.net
tags 47351 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaeI8ACgkQRaix6GvNEKapIw//ffuWgSqh84TbrB7K7JIgm3IyXG5lUjzw1gx7mIjkmGW8YReiubw/luOUr0WIU56a8PIbYp7U1f708r3QmYnFw9knMGZieXg9lbQrqB+x9pYLjusaKNImH93EKUi3oOAA/ECV+59BHJfXCRzkwpxDq4U65D1QYUUCSg572l2VvwOgb2aZJzVdeqLsd3CS3aNtbXgM6uZnGRmbzdiw8esj8qJFIwohDFp2okQ/q/NCod6hFmnKkI5ahaXAja58TPOjCdtn3xS318aOekS+7u0CYR6Gt2VEGDBAkzNCCyRpbfUtDzrP5JAefjqDz1t7vD4ciTTSO7YAC25YYGA/pQwL0QuoyAvLR0GRLhY3KWBdhLvLHQuJ1IT/4u+9xH7II1pqApF0RcLWQD9QCYKhfAs9VBAWcAm7O57qpYeOSM+hjTgtZCr/af+j+9+ik815/W6nJsKF0ZBtlGXnBdl1gy8jyWrLP31zahzXhyMZw2NS9kEY+3mj0WyWeQNp9jb8fD2t4eGWM5bjyNDfBi47nF+cgxwhQ3beUHCe4N0enWpqaXmgHkQxafy82P4ROpQMiE8IV5Ym0HXHygbABCNuRqZyWEUnTXkvdT9Ssz7lOdZk3srdLBRjAS3ASMfhv5fF1e5js273a73+LPAIH5aXxM2PgBDKFw5Pc2rQxQSIZ4N6vZI==fTcJ-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 47351@debbugs.gnu.org