* bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270
@ 2021-03-23 23:20 Léo Le Bouter via Bug reports for GNU Guix
2022-03-23 2:31 ` Maxim Cournoyer
0 siblings, 1 reply; 2+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-23 23:20 UTC (permalink / raw)
To: 47351
[-- Attachment #1.1: Type: text/plain, Size: 631 bytes --]
CVE-2021-20270 23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.
Upstream version 2.8.1 is not affected.
Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).
Opening this bug to track when this lands into master
[-- Attachment #1.2: 0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch --]
[-- Type: text/x-patch, Size: 1185 bytes --]
From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Wed, 24 Mar 2021 00:01:52 +0100
Subject: [PATCH] gnu: python-pygments: Update to 2.8.1 [security fixes].
Fixes at least CVE-2021-20270.
* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.
---
gnu/packages/python-xyz.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index cc21caa721..b50683f943 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -3619,14 +3619,14 @@ text styles of documentation.")
(define-public python-pygments
(package
(name "python-pygments")
- (version "2.7.3")
+ (version "2.8.1")
(source
(origin
(method url-fetch)
(uri (pypi-uri "Pygments" version))
(sha256
(base32
- "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
+ "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6"))))
(build-system python-build-system)
(arguments
;; FIXME: Tests require sphinx, which depends on this.
--
2.31.0
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270
2021-03-23 23:20 bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 Léo Le Bouter via Bug reports for GNU Guix
@ 2022-03-23 2:31 ` Maxim Cournoyer
0 siblings, 0 replies; 2+ messages in thread
From: Maxim Cournoyer @ 2022-03-23 2:31 UTC (permalink / raw)
To: Léo Le Bouter; +Cc: 47351-done
Léo Le Bouter <lle-bout@zaclys.net> writes:
> CVE-2021-20270 23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.
Which is now the current version packaged in Guix.
Thanks for the report!
Closing.
Maxim
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-23 2:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-23 23:20 bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 Léo Le Bouter via Bug reports for GNU Guix
2022-03-23 2:31 ` Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).