Fedora has issued an advisory on February 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TWY26NY4DBGDCUICGQT3I432Y5LZWS2U/ The issue is fixed upstream in 2.7.4. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.7.4Whiteboard: (none) => MGA7TOO
In the absence of an obvious maintainer for this SRPM, assigning to the Python stack group.
Assignee: bugsquad => python
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Pushed in mga7 src: python-pygments-2.3.1-1.1.mga7 Pushed in mga8: src: python-pygments-2.7.4-1.1.mga8 Fixed in cauldron too
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8CC: (none) => mageia
Status comment: Fixed upstream in 2.7.4 => (none)
Package list: python2-pygments-2.3.1-1.1.mga7 python3-pygments-2.3.1-1.1.mga7 python3-pygments-2.7.4-1.1.mga8 from SRPMS: python-pygments-2.3.1-1.1.mga7.src.rpm python-pygments-2.7.4-1.1.mga8.src.rpm
Assignee: python => qa-bugs
mga7, x64 This is concerned with highlighting text in various document formats AFAICS. It supplies a user command 'pygmentize'. List supported lexers, formatters, filters. $ pygmentize -L * abap: ABAP (filenames *.abap, *.ABAP) * abnf: ABNF (filenames *.abnf) * ada, ada95, ada2005: Ada (filenames *.adb, *.ads, *.ada) [...] * yaml: YAML (filenames *.yaml, *.yml) * zephir: Zephir (filenames *.zep) Formatters: ~~~~~~~~~~~ * bbcode, bb: Format tokens with BBcodes. These formatting codes are used by many bulletin boards, so you can highlight your sourcecode with pygments before posting it there. * bmp, bitmap: Create a bitmap image from source code. This uses the Python Imaging Library to generate a pixmap from the source code. (filenames *.bmp) * gif: Create a GIF image from source code. This uses the Python Imaging Library to generate a pixmap from the source code. (filenames *.gif) * html: Format tokens as HTML 4 ``<span>`` tags within a ``<pre>`` tag, wrapped in a ``<div>`` tag. The ``<div>``'s CSS class can be set by the `cssclass` option. (filenames *.html, *.htm) [...]* text, null: Output the text unchanged without any formatting. (filenames *.txt) Filters: ~~~~~~~~ * raiseonerror: Raise an exception when the lexer generates an error token. * whitespace: Convert tabs, newlines and/or spaces to visible characters. * tokenmerge: Merges consecutive tokens with the same token type in the output stream of a lexer. * highlight: Highlight a normal Name (and Name.*) token with a different token type. [...] * algol: * fruity: Pygments version of the "native" vim theme. The tutorial at https://pygments.org/docs/quickstart/ shows an example for outputting highlighted text from python. $ python >>> from pygments import highlight >>> from pygments.lexers import PythonLexer >>> from pygments.formatters import HtmlFormatter >>> >>> code = 'print "Hello World"' >>> print(highlight(code, PythonLexer(), HtmlFormatter())) <div class="highlight"><pre><span></span><span class="k">print</span> <span class="s2">"Hello World"</span> </pre></div> >>> exit() Fed the test code above to the cli. $ pygmentize -f html -o test.html test.py Copied the HTML file to Downloads and examined that in a browser - test.html displayed the code in a new page, without any frills. $ pygmentize -f html -O full -o style.html test.py Viewing style.html in the browser shows a fully colour-coded version of the helloworld script. $ pygmentize -S default -f html > style.css creates a style sheet. Not knowing anything about web programming I'll let it rest there. No reproducers found or any assigned CVE number. Updated the packages. Repeated the helloworld tests for python2 and python3, cli and interactive sessions, six tests in all. Note that in mga7 the default is python2 so on the cli use pygmentize-3 for python3. e.g. $ pygmentize-3 -f html -o test3.html test.py Those all worked fine.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => tarazed25
Advisory: ======================== Updated python-pygments packages fix security vulnerability: Infinite loop in SML lexer may lead to DoS. When the SMLLexer gets fed the string "exception" it seems to loop indefinitely (rhbz#1922136). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TWY26NY4DBGDCUICGQT3I432Y5LZWS2U/
Rebooted to a mageia 8 partition. Ran a couple of the simple test programs. Updated the one package. Used the REPL and commandline for the tutorial introductory scripts. $ python Python 3.8.7 (default, Jan 24 2021, 11:10:31) [GCC 10.2.1 20210123] on linux Type "help", "copyright", "credits" or "license" for more information. >>> from pygments import highlight >>> from pygments.lexers import PythonLexer >>> from pygments.formatters import HtmlFormatter >>> >>> code = 'print "Hello World"' >>> print(highlight(code, PythonLexer(), HtmlFormatter())) <div class="highlight"><pre><span></span><span class="nb">print</span> <span class="s2">"Hello World"</span> </pre></div> >>> exit() $ pygmentize -S default -f html > style.css $ ll style.css -rw-r--r-- 1 lcl lcl 4027 Mar 4 2021 style.css $ pygmentize -f html -o test3.html test.py $ ll test3.html -rw-r--r-- 1 lcl lcl 860 Mar 4 2021 test3.html In a browser the html file shows the unadorned code from the helloworld script. $ pygmentize -f html -O full -o style.html test.py In a browser style.html presents the helloworld code in colour. Passing this for mga8.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Advisory pushed to SVN. Validating update.
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0114.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This is CVE-2021-20270: https://www.debian.org/security/2021/dsa-4870
Summary: python-pygments new security issue rhbz#1922136 => python-pygments new security issue rhbz#1922136 (CVE-2021-20270)
The update to 2.7.4 for Mageia 8 also fixed CVE-2021-27291: https://www.debian.org/security/2021/dsa-4878 https://ubuntu.com/security/notices/USN-4897-1 Bug 28982 filed for Mageia 7.