Bug 28982

Summary: python-pygments new security issue CVE-2021-27291
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, makowski.mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-pygments-2.3.1-1.1.mga7.src.rpm CVE: CVE-2021-27291
Status comment:

Description David Walser 2021-05-28 21:56:39 CEST 
Debian and Ubuntu have issued advisories on March 27 and March 30:
https://www.debian.org/security/2021/dsa-4878
https://ubuntu.com/security/notices/USN-4897-1

We fixed this in Mageia 8 in Bug 28319 by updating to 2.7.4 where it's fixed.
David Walser 2021-05-28 21:57:01 CEST

Status comment: (none) => Patch available from Debian
CC: (none) => mageia

Comment 1 Lewis Smith 2021-05-29 20:19:00 CEST 
This SRPM has been maintained by various people, so assigning this bug globally. CC'ing Philippe, registered maintainer.

Assignee: bugsquad => pkg-bugs
CC: (none) => makowski.mageia

Comment 2 Lewis Smith 2021-05-29 20:24:56 CEST 
Forgot there was a Python group, changing assignment from everybody to them.

Assignee: pkg-bugs => python

Comment 4 David GEIGER 2021-06-07 09:09:27 CEST 
Done for mga7 adding debian's patch!

CC: (none) => geiger.david68210

Comment 5 David Walser 2021-06-09 01:24:00 CEST 
RPMS:
python2-pygments-2.3.1-1.2.mga7
python3-pygments-2.3.1-1.2.mga7

from python-pygments-2.3.1-1.2.mga7.src.rpm

Status comment: Patch available from Debian => (none)
Assignee: python => qa-bugs

Comment 6 Len Lawrence 2021-06-11 17:58:32 CEST 
mga7, x86_64

CVE-2021-27291 has been assigned for a possible regular express DOS attack vulnerability.  No details found.
Updated the packages.

Following the condensed tutorial from bug 28319 to test this.

$ cat test.py
from pygments import highlight
from pygments.lexers import PythonLexer
from pygments.formatters import HtmlFormatter

code = 'print "Hello World"'
print(highlight(code, PythonLexer(), HtmlFormatter()))

$ python2 test.py
<div class="highlight"><pre><span></span><span class="k">print</span> <span class="s2">&quot;Hello World&quot;</span>
</pre></div>

Running test.py with python3 generated the same code.

$ pygmentize -f html -o test.html test.py
$ firefox file:./test2.html
This printed the content of test.py in a new browser page.
$ cat test2.html
<div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">pygments</span> <span class="kn">import</span> <span class="n">highlight</span>
<span class="kn">from</span> <span class="nn">pygments.lexers</span> <span class="kn">import</span> <span class="n">PythonLexer</span>
<span class="kn">from</span> <span class="nn">pygments.formatters</span> <span class="kn">import</span> <span class="n">HtmlFormatter</span>

<span class="n">code</span> <span class="o">=</span> <span class="s1">&#39;print &quot;Hello World&quot;&#39;</span>
<span class="k">print</span><span class="p">(</span><span class="n">highlight</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="n">PythonLexer</span><span class="p">(),</span> <span class="n">HtmlFormatter</span><span class="p">()))</span>
</pre></div>

$ pygmentize -f html -O full -o style.html test.py
$ firefox file:./style.html
This showed the same code in a browser withblue, red and green highlighting,
green for python reserved words, blue for package names and red for quoted text.

$ pygmentize -S default -f html > style.css
creates a cascading style sheet, which I don't know how to use but which assigns different colours for elements of the code.
$ pygmentize-3 -S default -f html > style3.css
does the same for python3 and the content appears to be the same.

This looks good to go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2021-06-12 18:13:18 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Aurelien Oudelet 2021-06-13 21:12:55 CEST 
Advisory:
========================

Updated python-pygments packages fix a security vulnerability:

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service (CVE-2021-27291).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=28982
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27291
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/
========================

Updated packages in 7/core/updates_testing:
========================
python2-pygments-2.3.1-1.2.mga7
python3-pygments-2.3.1-1.2.mga7

from python-pygments-2.3.1-1.2.mga7.src.rpm

CVE: (none) => CVE-2021-27291
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 9 Mageia Robot 2021-06-13 23:34:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0245.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED