From: "Léo Le Bouter via Bug reports for GNU Guix" <bug-guix@gnu.org>
To: 47351@debbugs.gnu.org
Subject: bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270
Date: Wed, 24 Mar 2021 00:20:14 +0100 [thread overview]
Message-ID: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 631 bytes --]
CVE-2021-20270 23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.
Upstream version 2.8.1 is not affected.
Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).
Opening this bug to track when this lands into master
[-- Attachment #1.2: 0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch --]
[-- Type: text/x-patch, Size: 1185 bytes --]
From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-bout@zaclys.net>
Date: Wed, 24 Mar 2021 00:01:52 +0100
Subject: [PATCH] gnu: python-pygments: Update to 2.8.1 [security fixes].
Fixes at least CVE-2021-20270.
* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.
---
gnu/packages/python-xyz.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index cc21caa721..b50683f943 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -3619,14 +3619,14 @@ text styles of documentation.")
(define-public python-pygments
(package
(name "python-pygments")
- (version "2.7.3")
+ (version "2.8.1")
(source
(origin
(method url-fetch)
(uri (pypi-uri "Pygments" version))
(sha256
(base32
- "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
+ "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6"))))
(build-system python-build-system)
(arguments
;; FIXME: Tests require sphinx, which depends on this.
--
2.31.0
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2021-03-23 23:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-23 23:20 Léo Le Bouter via Bug reports for GNU Guix [this message]
2022-03-23 2:31 ` bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net \
--to=bug-guix@gnu.org \
--cc=47351@debbugs.gnu.org \
--cc=lle-bout@zaclys.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.