In the absence of an obvious maintainer for this SRPM, assigning to the Python stack group.

Assignee: bugsquad => python

Pushed in mga7

src:
     python-pygments-2.3.1-1.1.mga7

Pushed in mga8:

src:
     python-pygments-2.7.4-1.1.mga8

Fixed in cauldron too

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
CC: (none) => mageia

Package list:
python2-pygments-2.3.1-1.1.mga7
python3-pygments-2.3.1-1.1.mga7
python3-pygments-2.7.4-1.1.mga8

from SRPMS:
python-pygments-2.3.1-1.1.mga7.src.rpm
python-pygments-2.7.4-1.1.mga8.src.rpm

Assignee: python => qa-bugs

mga7, x64

This is concerned with highlighting text in various document formats AFAICS.
It supplies a user command 'pygmentize'.
List supported lexers, formatters, filters.
$ pygmentize -L
* abap:
    ABAP (filenames *.abap, *.ABAP)
* abnf:
    ABNF (filenames *.abnf)
* ada, ada95, ada2005:
    Ada (filenames *.adb, *.ads, *.ada)
[...]
* yaml:
    YAML (filenames *.yaml, *.yml)
* zephir:
    Zephir (filenames *.zep)

Formatters:
~~~~~~~~~~~
* bbcode, bb:
    Format tokens with BBcodes. These formatting codes are used by many bulletin boards, so you can highlight your sourcecode with pygments before posting it there. 
* bmp, bitmap:
    Create a bitmap image from source code. This uses the Python Imaging Library to generate a pixmap from the source code. (filenames *.bmp)
* gif:
    Create a GIF image from source code. This uses the Python Imaging Library to generate a pixmap from the source code. (filenames *.gif)
* html:
    Format tokens as HTML 4 ``<span>`` tags within a ``<pre>`` tag, wrapped in a ``<div>`` tag. The ``<div>``'s CSS class can be set by the `cssclass` option. (filenames *.html, *.htm)
[...]* text, null:
    Output the text unchanged without any formatting. (filenames *.txt)

Filters:
~~~~~~~~
* raiseonerror:
    Raise an exception when the lexer generates an error token.
* whitespace:
    Convert tabs, newlines and/or spaces to visible characters.
* tokenmerge:
    Merges consecutive tokens with the same token type in the output stream of a lexer.
* highlight:
    Highlight a normal Name (and Name.*) token with a different token type.
[...]
* algol:
    
* fruity:
    Pygments version of the "native" vim theme.

The tutorial at https://pygments.org/docs/quickstart/
shows an example for outputting highlighted text from python.
$ python
>>> from pygments import highlight
>>> from pygments.lexers import PythonLexer
>>> from pygments.formatters import HtmlFormatter
>>> 
>>> code = 'print "Hello World"'
>>> print(highlight(code, PythonLexer(), HtmlFormatter()))
<div class="highlight"><pre><span></span><span class="k">print</span> <span class="s2">&quot;Hello World&quot;</span>
</pre></div>

>>> exit()

Fed the test code above to the cli.
$ pygmentize -f html -o test.html test.py
Copied the HTML file to Downloads and examined that in a browser - test.html displayed the code in a new page, without any frills.

$ pygmentize -f html -O full -o style.html test.py
Viewing style.html in the browser shows a fully colour-coded version of the helloworld script.
$ pygmentize -S default -f html > style.css
creates a style sheet.

Not knowing anything about web programming I'll let it rest there.
No reproducers found or any assigned CVE number.

Updated the packages.

Repeated the helloworld tests for python2 and python3, cli and interactive sessions, six tests in all.  Note that in mga7 the default is python2 so on the cli use pygmentize-3 for python3.
e.g. $ pygmentize-3 -f html -o test3.html test.py
Those all worked fine.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => tarazed25

Advisory:
========================

Updated python-pygments packages fix security vulnerability:

Infinite loop in SML lexer may lead to DoS. When the SMLLexer gets fed the
string "exception" it seems to loop indefinitely (rhbz#1922136).

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TWY26NY4DBGDCUICGQT3I432Y5LZWS2U/

Rebooted to a mageia 8 partition.
Ran a couple of the simple test programs.
Updated the one package.

Used the REPL and commandline for the tutorial introductory scripts.
$ python
Python 3.8.7 (default, Jan 24 2021, 11:10:31) 
[GCC 10.2.1 20210123] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pygments import highlight
>>> from pygments.lexers import PythonLexer
>>> from pygments.formatters import HtmlFormatter
>>> 
>>> code = 'print "Hello World"'
>>> print(highlight(code, PythonLexer(), HtmlFormatter()))
<div class="highlight"><pre><span></span><span class="nb">print</span> <span class="s2">&quot;Hello World&quot;</span>
</pre></div>

>>> exit()

$ pygmentize -S default -f html > style.css
$ ll style.css
-rw-r--r-- 1 lcl lcl 4027 Mar  4  2021 style.css

$ pygmentize -f html -o test3.html test.py
$ ll test3.html
-rw-r--r-- 1 lcl lcl 860 Mar  4  2021 test3.html
In a browser the html file shows the unadorned code from the helloworld script.

$ pygmentize -f html -O full -o style.html test.py
In a browser style.html presents the helloworld code in colour.

Passing this for mga8.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Advisory pushed to SVN.
Validating update.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0114.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

This is CVE-2021-20270:
https://www.debian.org/security/2021/dsa-4870

Summary: python-pygments new security issue rhbz#1922136 => python-pygments new security issue rhbz#1922136 (CVE-2021-20270)

The update to 2.7.4 for Mageia 8 also fixed CVE-2021-27291:
https://www.debian.org/security/2021/dsa-4878
https://ubuntu.com/security/notices/USN-4897-1

Bug 28982 filed for Mageia 7.