A CVE has been requested for a security issue fixed upstream in Pygments: http://openwall.com/lists/oss-security/2015/12/14/6 The RedHat bug has a link to the upstream patch to fix the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1276321 Mageia 5 may also be affected. Reproducible: Steps to Reproduce:
procedure : https://bugs.mageia.org/show_bug.cgi?id=17165#c6 Advisory: ======================== Updated python-pygments packages fix security vulnerability: An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options (rhbz#1276321). References: http://openwall.com/lists/oss-security/2015/12/14/6 https://bugzilla.redhat.com/show_bug.cgi?id=1276321 cauldron patched (python-pygments-2.0.2-4.mga6 and python3-pygments-2.0.2-4.mga6) Mageia 5 patched in core/updates_testing : python3-pygments-1.6-9.1.mga5.noarch python-pygments-1.6-9.1.mga5.noarch from : python-pygments-1.6-9.1.mga5.src Sorry I bumped rel instead of subrel Note, in fact it is just a better fix for https://bugs.mageia.org/show_bug.cgi?id=17165
Assignee: makowski.mageia => securityWhiteboard: (none) => MGA5TOO has_procedure
Assignee: security => qa-bugs
Version: Cauldron => 5Whiteboard: MGA5TOO has_procedure => has_procedure
This is CVE-2015-8557: http://openwall.com/lists/oss-security/2015/12/14/17
Summary: python-pygments new shell injection security issue => python-pygments new shell injection security issue (CVE-2015-8557)
Advisory uploaded (including the CVE number).
Whiteboard: has_procedure => has_procedure advisory
URL: (none) => http://lwn.net/Vulnerabilities/668130/
Created attachment 7285 [details] Specimen python script for testing pygmentize Copied from Claire's test in bug #17165.
CC: (none) => tarazed25
mga5 x86_64 Mate Before the update: $ pygmentize testscript.py from pygments import highlight from pygments.lexers import PythonLexer from pygments.formatters import HtmlFormatter code = 'print "Hello World"' print highlight(code, PythonLexer(), HtmlFormatter()) These lines were suitably highlighted in different colours. python3-pygmentize produced the same result. $ python testscript.py <div class="highlight"><pre><span class="k">print</span> <span class="s">"Hello World"</span> </pre></div> But python3 raised a syntax error, possibly caused by an error in a function name or call: $ python3 testscript.py File "testscript.py", line 6 print highlight(code, PythonLexer(), HtmlFormatter()) ^ SyntaxError: invalid syntax Updated the two packages from Core Updates Testing and tested them in the same way. The results were exactly the same. Good for 64-bits.
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
The syntax error in Python3 is on the print instruction with Python3 (but it will be ok too with Python2), you need to write : from pygments import highlight from pygments.lexers import PythonLexer from pygments.formatters import HtmlFormatter code = 'print "Hello World"' print(highlight(code, PythonLexer(), HtmlFormatter()))
CC: (none) => makowski.mageia
Spot on Philippe. As you say it works fine for both the old and the new python. Edited script uploaded.
Created attachment 7288 [details] Corrected test file This works for python2 and python3.
Tested this again in an i586 virtualbox. The same tests were performed, before and after Updates Testing, and the same results were returned. Listing this as validated. Would some kind person please push it to updates?
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0478.html
Status: NEW => RESOLVEDResolution: (none) => FIXED