From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id yEEQMeJ4WmCgHwAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 23:25:22 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id 2LWzLOJ4WmCtVAAAbx9fmQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 23:25:22 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C259E104B4
	for <larch@yhetil.org>; Wed, 24 Mar 2021 00:25:21 +0100 (CET)
Received: from localhost ([::1]:49868 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lOqOl-0007aX-IA
	for larch@yhetil.org; Tue, 23 Mar 2021 19:25:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39880)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lOqKd-0001Ep-OU
 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:21:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:50085)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lOqKc-0007yl-IP
 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:21:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lOqKc-0000nu-Dt
 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:21:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47351: python-pygments@2.7.3 is vulnerable to at least
 CVE-2021-20270
Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Tue, 23 Mar 2021 23:21:02 +0000
Resent-Message-ID: <handler.47351.B.16165416283027@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47351
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 47351@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.16165416283027
 (code B ref -1); Tue, 23 Mar 2021 23:21:02 +0000
Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 23:20:28 +0000
Received: from localhost ([127.0.0.1]:33398 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lOqK4-0000mk-JT
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 19:20:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:42108)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lOqK1-0000mb-6d
 for submit@debbugs.gnu.org; Tue, 23 Mar 2021 19:20:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39710)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOqK0-0000WA-L7
 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:20:24 -0400
Received: from mail.zaclys.net ([178.33.93.72]:53533)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lOqJy-0007WK-8j
 for bug-guix@gnu.org; Tue, 23 Mar 2021 19:20:24 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NNKIDS040557
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Wed, 24 Mar 2021 00:20:19 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NNKIDS040557
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616541619;
 bh=xFK9SS/fMaCzZl/n34nO2COm9Z2Z3V4Rmg02uGHC5dY=;
 h=Subject:From:To:Date:From;
 b=I2MUgkcC8vJwnHFXosHJeV2gkIH2gx8eBFnaNCixfLqciWne6dKNbLtEaNgIhGvLs
 zK9jsjE96RdWXSQ9mamfx6EkFTBElnamDyrxofx2K8aqUNour+Fh3/7mzMCGf2iHMZ
 5O8mvS9IAIJo3LenENGhVDXPsKES7EsyXGM+21qI=
Message-ID: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net>
Date: Wed, 24 Mar 2021 00:20:14 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-cyRdrvxeNQI1eZ2bOlG2"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; 
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, 
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
Reply-to:  =?UTF-8?Q?L=C3=A9o?= Le Bouter <lle-bout@zaclys.net>
From:  =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616541922;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:resent-cc:resent-from:resent-sender:
	 resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe:
	 list-post:dkim-signature; bh=xFK9SS/fMaCzZl/n34nO2COm9Z2Z3V4Rmg02uGHC5dY=;
	b=TqZ/Ss0WkCU9uW+y9rfLUgr/BMQEdmkGcO+xuKQ5JTFQLUHW3P5fbk/1ZOpcityUZ2reZA
	y4H1cLQ3cCmkImS4duKj7QlM7Wgfuk5oPzVnX/tLPNMDyHLH+L5Rf071Obu0EiaEcS5O4w
	of8JdUa/LkweeDUR755Np7jZTzXJJnILUo4apwQten4enEHtxh6ciiv2ivB9CzwbgSsMBI
	JNkMc9wQxASehK+5gAXS5ZvsUr4/dgTYGXV878kxNAJoJ8/Ve5G1HAL5RhwU5plZZv31ox
	a20nXwczpTriI4BPZ1IwlJHgtP/VYRwolu9H4M0xcrhdZqM3dx09yyGw/yT4mg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616541922; a=rsa-sha256; cv=none;
	b=c3o5iRwGg4Gh8iaOFGFJ0A5YFk1rN2AbtCHa2XevLbfywS0/jUsbsnHmxsve9cMRluuMlz
	1dJ+JOc7r8PZhC0iOjSRkI3CiWD0K+NAELld/QTSf3wlrk+lvAIN+8f/5ljcRikcYgWWdi
	rE6n5m7PrJsP4ooZfkRHP8Y6D27bULlxdalmd8Bk8ONiTVjJUXWUOWbwx4UuZriOT5UIVT
	Z4s0Qylx/Fftwq/C3bNLPxHQk7DNrZSGz3NuI9kZz/1S3vsILeRYB9thmnCgkjZqRb/dzZ
	omNUacUjVYETNnP2mK8bX17BJ4aqs3XKitGLpCGnejfMtGdGm86ug9SJwP4bSw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=I2MUgkcC;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -3.92
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=I2MUgkcC;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: C259E104B4
X-Spam-Score: -3.92
X-Migadu-Scanner: scn0.migadu.com
X-TUID: vW5m7WHJmwoJ


--=-cyRdrvxeNQI1eZ2bOlG2
Content-Type: multipart/mixed; boundary="=-U8QfjhLediaFe8nH5rsZ"


--=-U8QfjhLediaFe8nH5rsZ
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-20270	23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master

--=-U8QfjhLediaFe8nH5rsZ
Content-Disposition: attachment;
	filename="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch"
Content-Transfer-Encoding: base64
Content-Type: text/x-patch;
	name="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch";
	charset="UTF-8"

RnJvbSA2OWUzYjdmNGJlYTlhYjZjOTUyMGM1YjViZGMxNGUwMzg4NDc1YzNkIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TD1DMz1BOW89MjBMZT0yMEJvdXRlcj89IDxs
bGUtYm91dEB6YWNseXMubmV0PgpEYXRlOiBXZWQsIDI0IE1hciAyMDIxIDAwOjAxOjUyICswMTAw
ClN1YmplY3Q6IFtQQVRDSF0gZ251OiBweXRob24tcHlnbWVudHM6IFVwZGF0ZSB0byAyLjguMSBb
c2VjdXJpdHkgZml4ZXNdLgoKRml4ZXMgYXQgbGVhc3QgQ1ZFLTIwMjEtMjAyNzAuCgoqIGdudS9w
YWNrYWdlcy9weXRob24teHl6LnNjbSAocHl0aG9uLXB5Z21lbnRzKTogVXBkYXRlIHRvIDIuOC4x
LgotLS0KIGdudS9wYWNrYWdlcy9weXRob24teHl6LnNjbSB8IDQgKystLQogMSBmaWxlIGNoYW5n
ZWQsIDIgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9nbnUvcGFj
a2FnZXMvcHl0aG9uLXh5ei5zY20gYi9nbnUvcGFja2FnZXMvcHl0aG9uLXh5ei5zY20KaW5kZXgg
Y2MyMWNhYTcyMS4uYjUwNjgzZjk0MyAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL3B5dGhvbi14
eXouc2NtCisrKyBiL2dudS9wYWNrYWdlcy9weXRob24teHl6LnNjbQpAQCAtMzYxOSwxNCArMzYx
OSwxNCBAQCB0ZXh0IHN0eWxlcyBvZiBkb2N1bWVudGF0aW9uLiIpCiAoZGVmaW5lLXB1YmxpYyBw
eXRob24tcHlnbWVudHMKICAgKHBhY2thZ2UKICAgICAobmFtZSAicHl0aG9uLXB5Z21lbnRzIikK
LSAgICAodmVyc2lvbiAiMi43LjMiKQorICAgICh2ZXJzaW9uICIyLjguMSIpCiAgICAgKHNvdXJj
ZQogICAgICAob3JpZ2luCiAgICAgICAgKG1ldGhvZCB1cmwtZmV0Y2gpCiAgICAgICAgKHVyaSAo
cHlwaS11cmkgIlB5Z21lbnRzIiB2ZXJzaW9uKSkKICAgICAgICAoc2hhMjU2CiAgICAgICAgIChi
YXNlMzIKLSAgICAgICAgICIwNW1wczlyOTY2cjNkcHF3NnpyczFubHdqZGY1eTQ5NjBobDltN2Fi
d2IzcXlmbmFyd3ljIikpKSkKKyAgICAgICAgICIxNTN6eXhpZ204NzlzazJuNzFsZnYwM3kycGd4
YjdkbDBkbHNid2t6OWF5ZHhua2YybWk2IikpKSkKICAgICAoYnVpbGQtc3lzdGVtIHB5dGhvbi1i
dWlsZC1zeXN0ZW0pCiAgICAgKGFyZ3VtZW50cwogICAgICA7OyBGSVhNRTogVGVzdHMgcmVxdWly
ZSBzcGhpbngsIHdoaWNoIGRlcGVuZHMgb24gdGhpcy4KLS0gCjIuMzEuMAoK


--=-U8QfjhLediaFe8nH5rsZ--

--=-cyRdrvxeNQI1eZ2bOlG2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBad64ACgkQRaix6GvN
EKaVKw//SzqEHU4gikv/0O6/sODqx37D6pi/kbQEJKd/7mLbHG1M8VHB9lQNnz9l
VKkpeop0q5jWtG1VDdi9bBfT89/kvNmjtgcPk+EMpLVGppLekzY+l0uAX43wgonf
pZecjt3Bwx2NVmqwjY9/cxnutV7INKVtbVVPUuUhfNN7i9RLMECDtn/G+ECRsWzT
zCbVzhvxmbnGNefbJ0RrVUUuLNq+IyXAP2vhHhDJa5169UUJ1P/Dy/ILe0JV+WEs
zlewYuxlKEjwNQIUCIRHZaROIXzGChTfayV0sO+b90ub6J44k4w257u7TINaEdXg
YNoiUoD6IJ5oPY5CI14EzJQxSUBKFIS+Bf4/A8PHW0N/siHMG0Z9xcwZjvIvgPtz
5QF0VrOH3q3xNU3VCL8lRsNXqsTCqXRPctaluPDWv3g2RYQUlPftr8YvMhZd4XoS
TkRL/jCa60mTC38y8PjqLskw8buhjaff44PCZ2VGplprsT/vYm8Hy0C/C1D4ISBo
mseOa6U8HRHfoBVEmd40uTkfMDuw2I1x5JKc130AfHqb3BAvsXyT/KDDtDQrw6u8
mc+eqmeesZFfoo+Fkah/08WRhYpOVWfP9zwr9c7bB/2KwzlOvM0CV8KfjvID1liN
sWCLnNMLIEMgAklpKx56jhAQx2SxkO6OEqxy2uVof0sKxARqEts=
=10Ve
-----END PGP SIGNATURE-----

--=-cyRdrvxeNQI1eZ2bOlG2--