GNU bug report logs - #47351
python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Tue, 23 Mar 2021 23:21:02 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47351 in the body.
You can then email your comments to 47351 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47351; Package guix. (Tue, 23 Mar 2021 23:21:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 23 Mar 2021 23:21:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: python-pygments <at> 2.7.3 is vulnerable to at least CVE-2021-20270
Date: Wed, 24 Mar 2021 00:20:14 +0100

[Message part 1 (text/plain, inline)]
CVE-2021-20270	23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master

[0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Tue, 23 Mar 2021 23:25:01 GMT) Full text and rfc822 format available.
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:33:02 GMT) Full text and rfc822 format available.
Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:33:02 GMT) Full text and rfc822 format available.

Message #12 received at 47351-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47351-done <at> debbugs.gnu.org
Subject: Re: bug#47351: python-pygments <at> 2.7.3 is vulnerable to at least
 CVE-2021-20270
Date: Tue, 22 Mar 2022 22:31:58 -0400

Léo Le Bouter <lle-bout <at> zaclys.net> writes:

> CVE-2021-20270	23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.

Which is now the current version packaged in Guix.

Thanks for the report!

Closing.

Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:10 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 4 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.