Bug 17165

Summary: python-pygments new remote code execution security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/664758/
Whiteboard: has_procedure advisory mga5-32-ok
Source RPM: python-pygments-2.0.2-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2015-11-17 19:37:36 CET 
Fedora has issued an advisory today (November 17):
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171882.html

The RedHat bug has a link to the upstream commit to fix the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1276321

I'm not sure if Mageia 5 is affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Philippe Makowski 2015-11-19 22:34:06 CET 
cauldron patched (python-pygments-2.0.2-3.mga6 and python3-pygments-2.0.2-3.mga6)

Mageia 5 patched in core/updates_testing :

python3-pygments-1.6-8.1.mga5.noarch 
python-pygments-1.6-8.1.mga5.noarch 

from :
python-pygments-1.6-8.1.mga5.src

Assignee: makowski.mageia => security

Comment 2 David Walser 2015-11-19 23:03:16 CET 
Advisory:
========================

Updated python-pygments packages fix security vulnerability:

An unsafe use of string concatenation in a shell string occurs in FontManager.
If the developer allows the attacker to choose the font and outputs an image,
the attacker can execute any shell command on the remote system. The name
variable injected comes from the constructor of FontManager, which is invoked
by ImageFormatter from options (rhbz#1276321).

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171882.html

Version: Cauldron => 5
Assignee: security => qa-bugs

Dave Hodgins 2015-11-20 19:26:14 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 William Kenney 2015-11-21 17:45:42 CET 
Anything we can install with this to test it David?

CC: (none) => wilcal.int

Comment 4 David Walser 2015-11-21 18:17:50 CET 
Looks like bpython and httpie use it for syntax highlighting and would be the easiest things to test it with.
Comment 5 claire robinson 2015-11-21 19:07:44 CET 
Testing info http://pygments.org/docs/quickstart/
Comment 6 claire robinson 2015-11-25 18:53:08 CET 
Testing complete mga5 32

I realise this doesn't show in black & white but it colours the text


$ urpmf python-pygments | grep bin
python-pygments:/usr/bin/pygmentize

$ pygmentize testscript.py 
from pygments import highlight
from pygments.lexers import PythonLexer
from pygments.formatters import HtmlFormatter

code = 'print "Hello World"'
print highlight(code, PythonLexer(), HtmlFormatter()


The script also outputs html like so..
$ python testscript.py 
<div class="highlight"><pre><span class="k">print</span> <span class="s">&quot;Hello World&quot;</span>
</pre></div>



And for python3-pygments..

urpmf python3-pygments | grep bin
python3-pygments:/usr/bin/python3-pygmentize

$ python3-pygmentize testscript.py 
from pygments import highlight
from pygments.lexers import PythonLexer
from pygments.formatters import HtmlFormatter

code = 'print "Hello World"'
print highlight(code, PythonLexer(), HtmlFormatter())

Whiteboard: advisory => has_procedure advisory mga5-32-ok

Comment 7 claire robinson 2015-11-26 17:55:31 CET 
Validating.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-11-26 21:48:27 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0456.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED