GNU bug report logs - #47351
python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Tue, 23 Mar 2021 23:21:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 23 Mar 2021 23:20:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 23 19:20:28 2021
Received: from localhost ([127.0.0.1]:33398 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lOqK4-0000mk-JT
	for submit <at> debbugs.gnu.org; Tue, 23 Mar 2021 19:20:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:42108)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lOqK1-0000mb-6d
 for submit <at> debbugs.gnu.org; Tue, 23 Mar 2021 19:20:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:39710)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lOqK0-0000WA-L7
 for bug-guix@HIDDEN; Tue, 23 Mar 2021 19:20:24 -0400
Received: from mail.zaclys.net ([178.33.93.72]:53533)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lOqJy-0007WK-8j
 for bug-guix@HIDDEN; Tue, 23 Mar 2021 19:20:24 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NNKIDS040557
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Wed, 24 Mar 2021 00:20:19 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NNKIDS040557
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616541619;
 bh=xFK9SS/fMaCzZl/n34nO2COm9Z2Z3V4Rmg02uGHC5dY=;
 h=Subject:From:To:Date:From;
 b=I2MUgkcC8vJwnHFXosHJeV2gkIH2gx8eBFnaNCixfLqciWne6dKNbLtEaNgIhGvLs
 zK9jsjE96RdWXSQ9mamfx6EkFTBElnamDyrxofx2K8aqUNour+Fh3/7mzMCGf2iHMZ
 5O8mvS9IAIJo3LenENGhVDXPsKES7EsyXGM+21qI=
Message-ID: <52ebf77423268ebf2a2bf87d524b86224ec13233.camel@HIDDEN>
Subject: python-pygments@HIDDEN is vulnerable to at least CVE-2021-20270
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Wed, 24 Mar 2021 00:20:14 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-cyRdrvxeNQI1eZ2bOlG2"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  CVE-2021-20270 23.03.21 18:15 An infinite loop in SMLLexer
 in Pygments versions 1.5 to 2.7.3 may lead to denial of service when
 performing
 syntax highlighting of a Standard ML (SML) source file, as de [...] 
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-cyRdrvxeNQI1eZ2bOlG2
Content-Type: multipart/mixed; boundary="=-U8QfjhLediaFe8nH5rsZ"


--=-U8QfjhLediaFe8nH5rsZ
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-20270	23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.

Upstream version 2.8.1 is not affected.

Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).

Opening this bug to track when this lands into master

--=-U8QfjhLediaFe8nH5rsZ
Content-Disposition: attachment;
	filename="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch"
Content-Transfer-Encoding: base64
Content-Type: text/x-patch;
	name="0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch";
	charset="UTF-8"

RnJvbSA2OWUzYjdmNGJlYTlhYjZjOTUyMGM1YjViZGMxNGUwMzg4NDc1YzNkIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiA9P1VURi04P3E/TD1DMz1BOW89MjBMZT0yMEJvdXRlcj89IDxs
bGUtYm91dEB6YWNseXMubmV0PgpEYXRlOiBXZWQsIDI0IE1hciAyMDIxIDAwOjAxOjUyICswMTAw
ClN1YmplY3Q6IFtQQVRDSF0gZ251OiBweXRob24tcHlnbWVudHM6IFVwZGF0ZSB0byAyLjguMSBb
c2VjdXJpdHkgZml4ZXNdLgoKRml4ZXMgYXQgbGVhc3QgQ1ZFLTIwMjEtMjAyNzAuCgoqIGdudS9w
YWNrYWdlcy9weXRob24teHl6LnNjbSAocHl0aG9uLXB5Z21lbnRzKTogVXBkYXRlIHRvIDIuOC4x
LgotLS0KIGdudS9wYWNrYWdlcy9weXRob24teHl6LnNjbSB8IDQgKystLQogMSBmaWxlIGNoYW5n
ZWQsIDIgaW5zZXJ0aW9ucygrKSwgMiBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9nbnUvcGFj
a2FnZXMvcHl0aG9uLXh5ei5zY20gYi9nbnUvcGFja2FnZXMvcHl0aG9uLXh5ei5zY20KaW5kZXgg
Y2MyMWNhYTcyMS4uYjUwNjgzZjk0MyAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL3B5dGhvbi14
eXouc2NtCisrKyBiL2dudS9wYWNrYWdlcy9weXRob24teHl6LnNjbQpAQCAtMzYxOSwxNCArMzYx
OSwxNCBAQCB0ZXh0IHN0eWxlcyBvZiBkb2N1bWVudGF0aW9uLiIpCiAoZGVmaW5lLXB1YmxpYyBw
eXRob24tcHlnbWVudHMKICAgKHBhY2thZ2UKICAgICAobmFtZSAicHl0aG9uLXB5Z21lbnRzIikK
LSAgICAodmVyc2lvbiAiMi43LjMiKQorICAgICh2ZXJzaW9uICIyLjguMSIpCiAgICAgKHNvdXJj
ZQogICAgICAob3JpZ2luCiAgICAgICAgKG1ldGhvZCB1cmwtZmV0Y2gpCiAgICAgICAgKHVyaSAo
cHlwaS11cmkgIlB5Z21lbnRzIiB2ZXJzaW9uKSkKICAgICAgICAoc2hhMjU2CiAgICAgICAgIChi
YXNlMzIKLSAgICAgICAgICIwNW1wczlyOTY2cjNkcHF3NnpyczFubHdqZGY1eTQ5NjBobDltN2Fi
d2IzcXlmbmFyd3ljIikpKSkKKyAgICAgICAgICIxNTN6eXhpZ204NzlzazJuNzFsZnYwM3kycGd4
YjdkbDBkbHNid2t6OWF5ZHhua2YybWk2IikpKSkKICAgICAoYnVpbGQtc3lzdGVtIHB5dGhvbi1i
dWlsZC1zeXN0ZW0pCiAgICAgKGFyZ3VtZW50cwogICAgICA7OyBGSVhNRTogVGVzdHMgcmVxdWly
ZSBzcGhpbngsIHdoaWNoIGRlcGVuZHMgb24gdGhpcy4KLS0gCjIuMzEuMAoK


--=-U8QfjhLediaFe8nH5rsZ--

--=-cyRdrvxeNQI1eZ2bOlG2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBad64ACgkQRaix6GvN
EKaVKw//SzqEHU4gikv/0O6/sODqx37D6pi/kbQEJKd/7mLbHG1M8VHB9lQNnz9l
VKkpeop0q5jWtG1VDdi9bBfT89/kvNmjtgcPk+EMpLVGppLekzY+l0uAX43wgonf
pZecjt3Bwx2NVmqwjY9/cxnutV7INKVtbVVPUuUhfNN7i9RLMECDtn/G+ECRsWzT
zCbVzhvxmbnGNefbJ0RrVUUuLNq+IyXAP2vhHhDJa5169UUJ1P/Dy/ILe0JV+WEs
zlewYuxlKEjwNQIUCIRHZaROIXzGChTfayV0sO+b90ub6J44k4w257u7TINaEdXg
YNoiUoD6IJ5oPY5CI14EzJQxSUBKFIS+Bf4/A8PHW0N/siHMG0Z9xcwZjvIvgPtz
5QF0VrOH3q3xNU3VCL8lRsNXqsTCqXRPctaluPDWv3g2RYQUlPftr8YvMhZd4XoS
TkRL/jCa60mTC38y8PjqLskw8buhjaff44PCZ2VGplprsT/vYm8Hy0C/C1D4ISBo
mseOa6U8HRHfoBVEmd40uTkfMDuw2I1x5JKc130AfHqb3BAvsXyT/KDDtDQrw6u8
mc+eqmeesZFfoo+Fkah/08WRhYpOVWfP9zwr9c7bB/2KwzlOvM0CV8KfjvID1liN
sWCLnNMLIEMgAklpKx56jhAQx2SxkO6OEqxy2uVof0sKxARqEts=
=10Ve
-----END PGP SIGNATURE-----

--=-cyRdrvxeNQI1eZ2bOlG2--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47351; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 23 Mar 2021 23:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.