From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id KBkjMvqGOmJuJgEAgWs5BA (envelope-from ) for ; Wed, 23 Mar 2022 03:33:30 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id SFn8KvqGOmIwBQAAG6o9tA (envelope-from ) for ; Wed, 23 Mar 2022 03:33:30 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 61F42106F4 for ; Wed, 23 Mar 2022 03:33:30 +0100 (CET) Received: from localhost ([::1]:53796 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWqoT-0001Ng-LJ for larch@yhetil.org; Tue, 22 Mar 2022 22:33:29 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43456) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWqoL-0001NQ-CT for bug-guix@gnu.org; Tue, 22 Mar 2022 22:33:21 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48375) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nWqo2-0000KI-Bf for bug-guix@gnu.org; Tue, 22 Mar 2022 22:33:18 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nWqo2-0000dW-7W for bug-guix@gnu.org; Tue, 22 Mar 2022 22:33:02 -0400 Subject: bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Date: Wed, 23 Mar 2022 02:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 47351 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: =?UTF-8?Q?L=C3=A9o?= Le Bouter Mail-Followup-To: 47351@debbugs.gnu.org, maxim.cournoyer@gmail.com, lle-bout@zaclys.net Received: via spool by 47351-done@debbugs.gnu.org id=D47351.16480027291321 (code D ref 47351); Wed, 23 Mar 2022 02:33:02 +0000 Received: (at 47351-done) by debbugs.gnu.org; 23 Mar 2022 02:32:09 +0000 Received: from localhost ([127.0.0.1]:42267 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqnA-0000L1-Pb for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:32:09 -0400 Received: from mail-qk1-f173.google.com ([209.85.222.173]:43850) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqn8-0000EP-NF for 47351-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:32:07 -0400 Received: by mail-qk1-f173.google.com with SMTP id p25so131609qkj.10 for <47351-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:32:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=IDMpBb/RbgM62T00L/EA1Er6Jq3q0MH7o1pYbSJLBAM=; b=cI4+yN3wNLdcFrppNjn8JAlSz1DnzcuWtQ8A54iv6paGcPHbJc+SMYF+VQqaaOgUg5 9WeAU2Zlz9GM3JgDOAJkw1IJ1M+l7hlvAhs4c8AC52jKoLkBYhp707kw/LxDfDxSn+mK YnYHu1++sylLdnixXi8F8uXivOmItWmQjWH1NsA2SSVd5WF8D2sHhAKgJUnc5C8l3foD t8+pUABd2BFpDsQg25fTWwe1VoMkcDBFn/8MwlrPy6cD2tQHHsUQMAntrPwJ+rBeIuvW 4BWkHqDhsLg6D+JOKMDieinQhTGJKxB4jOQlY8lQ8ijGBH7BJ4ILPu2Josb0WhB8mxwB 3cYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=IDMpBb/RbgM62T00L/EA1Er6Jq3q0MH7o1pYbSJLBAM=; b=S0L22pAWsX0d9NG3HVs1Pi/O8j8FiUASLiE+lin0FMzwxBlzWK/0sMiQvvSkzltTr1 BkFcUNbB/WWeLtcLurvT//YP3Djiy2o+RKkijpsX4yueYhFjEeaHsfQjfKGbjlxPv4QE 4t0dU+pQIMFurfJ8sw8m9KcXYzSGv/fb/HUXdy08yBLwX+1OGupv3f7PQAdAAFVGxdPw zWMq1RcmFNF85KW+q9Wdih15IBkbJaFylXl81JvlzSGZsA9VTLtKQAEOJccUJRGoVDDU Q5IuS/XkxST6YECGBP17ZRE1RYCUI2IIe4yx3PGb5FgHLxvqNq/zH0LnyO+IatcDf0OP zNaA== X-Gm-Message-State: AOAM531PUWcvu08+37MBdAGxTrytFBVM8N8fdO6/ta5wymxix1r+aGHk 7d4HUoMpA6lg2cFpgQtwxIdvEIsdVFg= X-Google-Smtp-Source: ABdhPJwDe/9gjdJOkpF3Ro4zrEQ7skiGNp19v2XY4mgcdUaQdLbdUAAoks5hEImvAujx/kMLnwZXCw== X-Received: by 2002:a05:620a:29d1:b0:67d:551a:f790 with SMTP id s17-20020a05620a29d100b0067d551af790mr17268348qkp.770.1648002721104; Tue, 22 Mar 2022 19:32:01 -0700 (PDT) Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199]) by smtp.gmail.com with ESMTPSA id g5-20020ac87f45000000b002e125ef0ba3sm14860979qtk.82.2022.03.22.19.31.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 19:31:59 -0700 (PDT) From: Maxim Cournoyer References: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net> Date: Tue, 22 Mar 2022 22:31:58 -0400 In-Reply-To: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net> ("=?UTF-8?Q?L=C3=A9o?= Le Bouter"'s message of "Wed, 24 Mar 2021 00:20:14 +0100") Message-ID: <878rt11js1.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47351-done@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648002810; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-to: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=IDMpBb/RbgM62T00L/EA1Er6Jq3q0MH7o1pYbSJLBAM=; b=AXyxexhuhUAdDqHCBmvpF3aeZxwaufFM6kNN312Euh92PMhE5X3MumIk1PHLZxExqOgx2a 8cnfdc6SpquzL2S/GzU4Lf65VX2L2v9iFgH1WBbKwQKK+uZXJPVEeXzAlEh4DTnadYAmo3 /ybHOE3AINail2BnmvBYbUTcXy9H6Zu1ef9+WUU56gfF+kmd6+QpvgQkjjuk2D/wxTvAFe no4Z2zTGcnOd2C+SA0x4NayI8ynRn/QBa5vm3J0qWuXJdh7mMAjexRsfjXQwH2Kv5zQf23 AaUI0RZOnwSwrPndlRAb1DX8OTaod9T+OcahDjJ/JSQuHBbkK1StfbH7n0Anjg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648002810; a=rsa-sha256; cv=none; b=Jbw5P1NTRDcJJ0Y0H9hiBm8b7rInPELe8y0Vhe35xBCxMbNv1KQ+2j26dEjva/INI6Rw5t U5GwpFi3nQa7vAC8i0io6/ftKp2AYldTqGVYy4gfLKCct/c3JIQqZ+U0HffZkU5dtXaSka SX38nW26Xvz9zXxDOHSP+vP1X69mc6ttJpBf8zexPz+znIe9HUdLbn1H3qE46rvcxl0tb2 KQU5RsbOsIgFp2xT9zmchE4E2707EZ4VhTSNUQQkFE44digNKx20a5ObrwvC1BDerhes+t O989Hc2YwP0g3GSMnhl9wWNOVqedkObWo8kF2XdAcP9gjw6SPY0qtQgQevc5Iw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=cI4+yN3w; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.10 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=cI4+yN3w; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 61F42106F4 X-Spam-Score: 5.10 X-Migadu-Scanner: scn0.migadu.com X-TUID: iVfsgu7ghPQT L=C3=A9o Le Bouter writes: > CVE-2021-20270 23.03.21 18:15 > An infinite loop in SMLLexer in Pygments > versions 1.5 to 2.7.3 may lead to denial of service when performing > syntax highlighting of a Standard ML (SML) source file, as demonstrated > by input that only contains the "exception" keyword. > > Upstream version 2.8.1 is not affected. Which is now the current version packaged in Guix. Thanks for the report! Closing. Maxim