Bug 17331

procedure : https://bugs.mageia.org/show_bug.cgi?id=17165#c6

Advisory:
========================

Updated python-pygments packages fix security vulnerability:

An unsafe use of string concatenation in a shell string occurs in FontManager.
If the developer allows the attacker to choose the font and outputs an image,
the attacker can execute any shell command on the remote system. The name
variable injected comes from the constructor of FontManager, which is invoked
by ImageFormatter from options (rhbz#1276321).

References:
http://openwall.com/lists/oss-security/2015/12/14/6
https://bugzilla.redhat.com/show_bug.cgi?id=1276321

cauldron patched (python-pygments-2.0.2-4.mga6 and python3-pygments-2.0.2-4.mga6)

Mageia 5 patched in core/updates_testing :

python3-pygments-1.6-9.1.mga5.noarch 
python-pygments-1.6-9.1.mga5.noarch 

from :
python-pygments-1.6-9.1.mga5.src

Sorry I bumped rel instead of subrel

Note, in fact it is just a better fix for https://bugs.mageia.org/show_bug.cgi?id=17165

Assignee: makowski.mageia => security
Whiteboard: (none) => MGA5TOO has_procedure

This is CVE-2015-8557:
http://openwall.com/lists/oss-security/2015/12/14/17

Summary: python-pygments new shell injection security issue => python-pygments new shell injection security issue (CVE-2015-8557)

Advisory uploaded (including the CVE number).

Whiteboard: has_procedure => has_procedure advisory

Created attachment 7285 [details]
Specimen python script for testing pygmentize

Copied from Claire's test in bug #17165.

CC: (none) => tarazed25

mga5  x86_64  Mate

Before the update:
$ pygmentize testscript.py
from pygments import highlight
from pygments.lexers import PythonLexer
from pygments.formatters import HtmlFormatter

code = 'print "Hello World"'
print highlight(code, PythonLexer(), HtmlFormatter())

These lines were suitably highlighted in different colours.
python3-pygmentize produced the same result.

$ python testscript.py
<div class="highlight"><pre><span class="k">print</span> <span class="s">&quot;Hello World&quot;</span>
</pre></div>

But python3 raised a syntax error, possibly caused by an error in a function name or call:
$ python3 testscript.py
  File "testscript.py", line 6
    print highlight(code, PythonLexer(), HtmlFormatter())
                  ^
SyntaxError: invalid syntax

Updated the two packages from Core Updates Testing and tested them in the same way.  The results were exactly the same.  Good for 64-bits.

The syntax error in Python3 is on the print instruction

with Python3 (but it will be ok too with Python2), you need to write :

from pygments import highlight
from pygments.lexers import PythonLexer
from pygments.formatters import HtmlFormatter

code = 'print "Hello World"'
print(highlight(code, PythonLexer(), HtmlFormatter()))

CC: (none) => makowski.mageia

Spot on Philippe.  As you say it works fine for both the old and the new python.
Edited script uploaded.

Created attachment 7288 [details]
Corrected test file

This works for python2 and python3.

Tested this again in an i586 virtualbox.
The same tests were performed, before and after Updates Testing, and the same results were returned.

Listing this as validated.  Would some kind person please push it to updates?

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0478.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED