Fedora has issued an advisory today (November 17): https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171882.html The RedHat bug has a link to the upstream commit to fix the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1276321 I'm not sure if Mageia 5 is affected. Reproducible: Steps to Reproduce:
cauldron patched (python-pygments-2.0.2-3.mga6 and python3-pygments-2.0.2-3.mga6) Mageia 5 patched in core/updates_testing : python3-pygments-1.6-8.1.mga5.noarch python-pygments-1.6-8.1.mga5.noarch from : python-pygments-1.6-8.1.mga5.src
Assignee: makowski.mageia => security
Advisory: ======================== Updated python-pygments packages fix security vulnerability: An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options (rhbz#1276321). References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171882.html
Version: Cauldron => 5Assignee: security => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Anything we can install with this to test it David?
CC: (none) => wilcal.int
Looks like bpython and httpie use it for syntax highlighting and would be the easiest things to test it with.
Testing info http://pygments.org/docs/quickstart/
Testing complete mga5 32 I realise this doesn't show in black & white but it colours the text $ urpmf python-pygments | grep bin python-pygments:/usr/bin/pygmentize $ pygmentize testscript.py from pygments import highlight from pygments.lexers import PythonLexer from pygments.formatters import HtmlFormatter code = 'print "Hello World"' print highlight(code, PythonLexer(), HtmlFormatter() The script also outputs html like so.. $ python testscript.py <div class="highlight"><pre><span class="k">print</span> <span class="s">"Hello World"</span> </pre></div> And for python3-pygments.. urpmf python3-pygments | grep bin python3-pygments:/usr/bin/python3-pygmentize $ python3-pygmentize testscript.py from pygments import highlight from pygments.lexers import PythonLexer from pygments.formatters import HtmlFormatter code = 'print "Hello World"' print highlight(code, PythonLexer(), HtmlFormatter())
Whiteboard: advisory => has_procedure advisory mga5-32-ok
Validating. Please push to 5 updates Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0456.html
Status: NEW => RESOLVEDResolution: (none) => FIXED