33030 – python-pygments new security issue CVE-2022-40896

Bug 33030 - python-pygments new security issue CVE-2022-40896

Summary: python-pygments new security issue CVE-2022-40896

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-03-29 11:14 CET by Nicolas Salguero
Modified:	2024-04-04 22:28 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	python-pygments-2.13.0-1.mga9.src.rpm
CVE:	CVE-2022-40896
Status comment:	Patch available from Fedora

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-29 11:14:25 CET

Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZGMXALE3HSP4OXC7UUWIKX3OXKZDTY3/

Nicolas Salguero 2024-03-29 11:15:03 CET

CVE: (none) => CVE-2022-40896
Status comment: (none) => Patch available from Fedora
Source RPM: (none) => python-pygments-2.13.0-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-03-31 21:13:45 CEST

This is the Fedora bug URL, but as usual I cannot see the patch:
 https://bugzilla.redhat.com/show_bug.cgi?id=2259082
Various packagers have committed this, assigning to Python maintainers.

Assignee: bugsquad => python

Comment 2 David GEIGER 2024-04-01 07:55:40 CEST

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
python3-pygments-2.15.1-1.mga9.noarch.rpm

From SRPMS:
python-pygments-2.15.1-1.mga9.src.rpm

CC: (none) => geiger.david68210
Assignee: python => qa-bugs

katnatek 2024-04-01 20:24:24 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-04-02 23:20:50 CEST

 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm
Marking python3-pygments as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list


installing python3-pygments-2.15.1-1.mga9.noarch.rpm from /home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-pygments      ##################################################################################################
      1/1: removing python3-pygments-2.13.0-1.mga9.noarch
                                 ##################################################################################################

bug#28982 as reference

python3 pygments-test.py 
<div class="highlight"><pre><span></span><span class="nb">print</span> <span class="s2">&quot;Hello World&quot;</span>
</pre></div>

pygmentize -f html -O full -o style.html pygments-test.py
Open style.html

Reproduce what Len see in https://bugs.mageia.org/show_bug.cgi?id=28982#c6

katnatek 2024-04-02 23:21:21 CEST

CC: (none) => andrewsfarm

katnatek 2024-04-02 23:21:40 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-04-03 20:43:34 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-04-04 22:28:11 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.