Bug 33030

Summary:	python-pygments new security issue CVE-2022-40896
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	python-pygments-2.13.0-1.mga9.src.rpm	CVE:	CVE-2022-40896
Status comment:	Patch available from Fedora

Description Nicolas Salguero 2024-03-29 11:14:25 CET

Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZGMXALE3HSP4OXC7UUWIKX3OXKZDTY3/

Nicolas Salguero 2024-03-29 11:15:03 CET

CVE: (none) => CVE-2022-40896
Status comment: (none) => Patch available from Fedora
Source RPM: (none) => python-pygments-2.13.0-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-03-31 21:13:45 CEST

This is the Fedora bug URL, but as usual I cannot see the patch:
 https://bugzilla.redhat.com/show_bug.cgi?id=2259082
Various packagers have committed this, assigning to Python maintainers.

Assignee: bugsquad => python

Comment 2 David GEIGER 2024-04-01 07:55:40 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
python3-pygments-2.15.1-1.mga9.noarch.rpm

From SRPMS:
python-pygments-2.15.1-1.mga9.src.rpm

CC: (none) => geiger.david68210
Assignee: python => qa-bugs

katnatek 2024-04-01 20:24:24 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-04-02 23:20:50 CEST

 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
Marking python3-pygments as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list


installing python3-pygments-2.15.1-1.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-pygments      ##################################################################################################
      1/1: removing python3-pygments-2.13.0-1.mga9.noarch
                                 ##################################################################################################

bug#28982 as reference

python3 pygments-test.py 
<div class="highlight"><pre><span></span><span class="nb">print</span> <span class="s2">&quot;Hello World&quot;</span>
</pre></div>

pygmentize -f html -O full -o style.html pygments-test.py
Open style.html

Reproduce what Len see in https://bugs.mageia.org/show_bug.cgi?id=28982#c6

katnatek 2024-04-02 23:21:21 CEST

CC: (none) => andrewsfarm

katnatek 2024-04-02 23:21:40 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-04-03 20:43:34 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-04-04 22:28:11 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED