GNU bug report logs

#47351 python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #12 received at 47351-done@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47351-done) by debbugs.gnu.org; 23 Mar 2022 02:32:09 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Mar 22 22:32:09 2022
Received: from localhost ([127.0.0.1]:42267 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nWqnA-0000L1-Pb
	for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:32:09 -0400
Received: from mail-qk1-f173.google.com ([209.85.222.173]:43850)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1nWqn8-0000EP-NF
 for 47351-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:32:07 -0400
Received: by mail-qk1-f173.google.com with SMTP id p25so131609qkj.10
 for <47351-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=IDMpBb/RbgM62T00L/EA1Er6Jq3q0MH7o1pYbSJLBAM=;
 b=cI4+yN3wNLdcFrppNjn8JAlSz1DnzcuWtQ8A54iv6paGcPHbJc+SMYF+VQqaaOgUg5
 9WeAU2Zlz9GM3JgDOAJkw1IJ1M+l7hlvAhs4c8AC52jKoLkBYhp707kw/LxDfDxSn+mK
 YnYHu1++sylLdnixXi8F8uXivOmItWmQjWH1NsA2SSVd5WF8D2sHhAKgJUnc5C8l3foD
 t8+pUABd2BFpDsQg25fTWwe1VoMkcDBFn/8MwlrPy6cD2tQHHsUQMAntrPwJ+rBeIuvW
 4BWkHqDhsLg6D+JOKMDieinQhTGJKxB4jOQlY8lQ8ijGBH7BJ4ILPu2Josb0WhB8mxwB
 3cYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=IDMpBb/RbgM62T00L/EA1Er6Jq3q0MH7o1pYbSJLBAM=;
 b=S0L22pAWsX0d9NG3HVs1Pi/O8j8FiUASLiE+lin0FMzwxBlzWK/0sMiQvvSkzltTr1
 BkFcUNbB/WWeLtcLurvT//YP3Djiy2o+RKkijpsX4yueYhFjEeaHsfQjfKGbjlxPv4QE
 4t0dU+pQIMFurfJ8sw8m9KcXYzSGv/fb/HUXdy08yBLwX+1OGupv3f7PQAdAAFVGxdPw
 zWMq1RcmFNF85KW+q9Wdih15IBkbJaFylXl81JvlzSGZsA9VTLtKQAEOJccUJRGoVDDU
 Q5IuS/XkxST6YECGBP17ZRE1RYCUI2IIe4yx3PGb5FgHLxvqNq/zH0LnyO+IatcDf0OP
 zNaA==
X-Gm-Message-State: AOAM531PUWcvu08+37MBdAGxTrytFBVM8N8fdO6/ta5wymxix1r+aGHk
 7d4HUoMpA6lg2cFpgQtwxIdvEIsdVFg=
X-Google-Smtp-Source: ABdhPJwDe/9gjdJOkpF3Ro4zrEQ7skiGNp19v2XY4mgcdUaQdLbdUAAoks5hEImvAujx/kMLnwZXCw==
X-Received: by 2002:a05:620a:29d1:b0:67d:551a:f790 with SMTP id
 s17-20020a05620a29d100b0067d551af790mr17268348qkp.770.1648002721104; 
 Tue, 22 Mar 2022 19:32:01 -0700 (PDT)
Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199])
 by smtp.gmail.com with ESMTPSA id
 g5-20020ac87f45000000b002e125ef0ba3sm14860979qtk.82.2022.03.22.19.31.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 22 Mar 2022 19:31:59 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Léo Le Bouter <lle-bout@zaclys.net>
Subject: Re: bug#47351: python-pygments@2.7.3 is vulnerable to at least
 CVE-2021-20270
References: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net>
Date: Tue, 22 Mar 2022 22:31:58 -0400
In-Reply-To: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@zaclys.net>
 ("Léo
 Le Bouter"'s message of "Wed, 24 Mar 2021 00:20:14 +0100")
Message-ID: <878rt11js1.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 47351-done
Cc: 47351-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-20270	23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.

Which is now the current version packaged in Guix.

Thanks for the report!

Closing.

Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Thu Jan 2 14:40:18 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.