GNU bug report logs

#47351 python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#47351; Package guix. (Tue, 23 Mar 2021 23:21:02 GMT) (full text, mbox, link).

Acknowledgement sent to Léo Le Bouter <lle-bout@zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Tue, 23 Mar 2021 23:21:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Subject: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270
Date: Wed, 24 Mar 2021 00:20:14 +0100
[Message part 1 (text/plain, inline)]
CVE-2021-20270	23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master

[0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout@zaclys.net> to control@debbugs.gnu.org. (Tue, 23 Mar 2021 23:25:01 GMT) (full text, mbox, link).

Reply sent to Maxim Cournoyer <maxim.cournoyer@gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:33:02 GMT) (full text, mbox, link).

Notification sent to Léo Le Bouter <lle-bout@zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:33:02 GMT) (full text, mbox, link).

Message #12 received at 47351-done@debbugs.gnu.org (full text, mbox, reply):

From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Cc: 47351-done@debbugs.gnu.org
Subject: Re: bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270
Date: Tue, 22 Mar 2022 22:31:58 -0400
Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-20270	23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.

Which is now the current version packaged in Guix.

Thanks for the report!

Closing.

Maxim

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:10 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Mon Dec 30 16:58:26 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.