From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 23 19:20:28 2021 Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 23:20:28 +0000 Received: from localhost ([127.0.0.1]:33398 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOqK4-0000mk-JT for submit@debbugs.gnu.org; Tue, 23 Mar 2021 19:20:28 -0400 Received: from lists.gnu.org ([209.51.188.17]:42108) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lOqK1-0000mb-6d for submit@debbugs.gnu.org; Tue, 23 Mar 2021 19:20:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39710) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOqK0-0000WA-L7 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:20:24 -0400 Received: from mail.zaclys.net ([178.33.93.72]:53533) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOqJy-0007WK-8j for bug-guix@gnu.org; Tue, 23 Mar 2021 19:20:24 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NNKIDS040557 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 24 Mar 2021 00:20:19 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NNKIDS040557 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616541619; bh=xFK9SS/fMaCzZl/n34nO2COm9Z2Z3V4Rmg02uGHC5dY=; h=Subject:From:To:Date:From; b=I2MUgkcC8vJwnHFXosHJeV2gkIH2gx8eBFnaNCixfLqciWne6dKNbLtEaNgIhGvLs zK9jsjE96RdWXSQ9mamfx6EkFTBElnamDyrxofx2K8aqUNour+Fh3/7mzMCGf2iHMZ 5O8mvS9IAIJo3LenENGhVDXPsKES7EsyXGM+21qI= Message-ID: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net> Subject: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Wed, 24 Mar 2021 00:20:14 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-cyRdrvxeNQI1eZ2bOlG2" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.4 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: CVE-2021-20270 23.03.21 18:15 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as de [...] Content analysis details: (1.4 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-cyRdrvxeNQI1eZ2bOlG2 Content-Type: multipart/mixed; boundary="=-U8QfjhLediaFe8nH5rsZ" --=-U8QfjhLediaFe8nH5rsZ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-20270 23.03.21 18:15 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. Upstream version 2.8.1 is not affected. Because this package would cause 456 dependents to be rebuilt, I prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to staging once master is merged in it so that .guix-authorizations contains my key. I also attached the patch (trivial). Opening this bug to track when this lands into master --=-U8QfjhLediaFe8nH5rsZ Content-Disposition: attachment; filename="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch" Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch"; charset="UTF-8" RnJvbSA2OWUzYjdmNGJlYTlhYjZjOTUyMGM1YjViZGMxNGUwMzg4NDc1YzNkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TD1DMz1BOW89MjBMZT0yMEJvdXRlcj89IDxs bGUtYm91dEB6YWNseXMubmV0PgpEYXRlOiBXZWQsIDI0IE1hciAyMDIxIDAwOjAxOjUyICswMTAw ClN1YmplY3Q6IFtQQVRDSF0gZ251OiBweXRob24tcHlnbWVudHM6IFVwZGF0ZSB0byAyLjguMSBb c2VjdXJpdHkgZml4ZXNdLgoKRml4ZXMgYXQgbGVhc3QgQ1ZFLTIwMjEtMjAyNzAuCgoqIGdudS9w YWNrYWdlcy9weXRob24teHl6LnNjbSAocHl0aG9uLXB5Z21lbnRzKTogVXBkYXRlIHRvIDIuOC4x LgotLS0KIGdudS9wYWNrYWdlcy9weXRob24teHl6LnNjbSB8IDQgKystLQogMSBmaWxlIGNoYW5n ZWQsIDIgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9nbnUvcGFj a2FnZXMvcHl0aG9uLXh5ei5zY20gYi9nbnUvcGFja2FnZXMvcHl0aG9uLXh5ei5zY20KaW5kZXgg Y2MyMWNhYTcyMS4uYjUwNjgzZjk0MyAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL3B5dGhvbi14 eXouc2NtCisrKyBiL2dudS9wYWNrYWdlcy9weXRob24teHl6LnNjbQpAQCAtMzYxOSwxNCArMzYx OSwxNCBAQCB0ZXh0IHN0eWxlcyBvZiBkb2N1bWVudGF0aW9uLiIpCiAoZGVmaW5lLXB1YmxpYyBw eXRob24tcHlnbWVudHMKICAgKHBhY2thZ2UKICAgICAobmFtZSAicHl0aG9uLXB5Z21lbnRzIikK LSAgICAodmVyc2lvbiAiMi43LjMiKQorICAgICh2ZXJzaW9uICIyLjguMSIpCiAgICAgKHNvdXJj ZQogICAgICAob3JpZ2luCiAgICAgICAgKG1ldGhvZCB1cmwtZmV0Y2gpCiAgICAgICAgKHVyaSAo cHlwaS11cmkgIlB5Z21lbnRzIiB2ZXJzaW9uKSkKICAgICAgICAoc2hhMjU2CiAgICAgICAgIChi YXNlMzIKLSAgICAgICAgICIwNW1wczlyOTY2cjNkcHF3NnpyczFubHdqZGY1eTQ5NjBobDltN2Fi d2IzcXlmbmFyd3ljIikpKSkKKyAgICAgICAgICIxNTN6eXhpZ204NzlzazJuNzFsZnYwM3kycGd4 YjdkbDBkbHNid2t6OWF5ZHhua2YybWk2IikpKSkKICAgICAoYnVpbGQtc3lzdGVtIHB5dGhvbi1i dWlsZC1zeXN0ZW0pCiAgICAgKGFyZ3VtZW50cwogICAgICA7OyBGSVhNRTogVGVzdHMgcmVxdWly ZSBzcGhpbngsIHdoaWNoIGRlcGVuZHMgb24gdGhpcy4KLS0gCjIuMzEuMAoK --=-U8QfjhLediaFe8nH5rsZ-- --=-cyRdrvxeNQI1eZ2bOlG2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBad64ACgkQRaix6GvN EKaVKw//SzqEHU4gikv/0O6/sODqx37D6pi/kbQEJKd/7mLbHG1M8VHB9lQNnz9l VKkpeop0q5jWtG1VDdi9bBfT89/kvNmjtgcPk+EMpLVGppLekzY+l0uAX43wgonf pZecjt3Bwx2NVmqwjY9/cxnutV7INKVtbVVPUuUhfNN7i9RLMECDtn/G+ECRsWzT zCbVzhvxmbnGNefbJ0RrVUUuLNq+IyXAP2vhHhDJa5169UUJ1P/Dy/ILe0JV+WEs zlewYuxlKEjwNQIUCIRHZaROIXzGChTfayV0sO+b90ub6J44k4w257u7TINaEdXg YNoiUoD6IJ5oPY5CI14EzJQxSUBKFIS+Bf4/A8PHW0N/siHMG0Z9xcwZjvIvgPtz 5QF0VrOH3q3xNU3VCL8lRsNXqsTCqXRPctaluPDWv3g2RYQUlPftr8YvMhZd4XoS TkRL/jCa60mTC38y8PjqLskw8buhjaff44PCZ2VGplprsT/vYm8Hy0C/C1D4ISBo mseOa6U8HRHfoBVEmd40uTkfMDuw2I1x5JKc130AfHqb3BAvsXyT/KDDtDQrw6u8 mc+eqmeesZFfoo+Fkah/08WRhYpOVWfP9zwr9c7bB/2KwzlOvM0CV8KfjvID1liN sWCLnNMLIEMgAklpKx56jhAQx2SxkO6OEqxy2uVof0sKxARqEts= =10Ve -----END PGP SIGNATURE----- --=-cyRdrvxeNQI1eZ2bOlG2--