Your message dated Sun, 10 Jan 2016 18:20:06 +0000
with message-id <[email protected]>
and subject line Bug#802828: fixed in pygments 2.0.1+dfsg-2
has caused the Debian Bug report #802828,
regarding python-pygments: CVE-2015-8557: shell injection in
FontManager._get_nix_font_path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
802828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802828
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-pygments
Version: 2.0.1+dfsg-1.1
Tags: security
Forwarded: https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501
Javantea reported in <http://seclists.org/fulldisclosure/2015/Oct/4>:
An unsafe use of string concatenation in a shell string occurs in
FontManager. If the developer allows the attacker to choose the font
and outputs an image, the attacker can execute any shell command on the
remote system. The name variable injected comes from the constructor of
FontManager, which is invoked by ImageFormatter from options.
pygments/formatters/img.py:82
def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: pygments
Source-Version: 2.0.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
pygments, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Ożarowski <[email protected]> (supplier of updated pygments package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jan 2016 18:56:35 +0100
Source: pygments
Binary: python-pygments python3-pygments python-pygments-doc
Architecture: source all
Version: 2.0.1+dfsg-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Piotr Ożarowski <[email protected]>
Description:
python-pygments - syntax highlighting package written in Python
python-pygments-doc - documentation for the Pygments
python3-pygments - syntax highlighting package written in Python 3
Closes: 802828
Changes:
pygments (2.0.1+dfsg-2) unstable; urgency=high
.
[ Salvatore Bonaccorso ]
* Add CVE-2015-8557.patch patch.
CVE-2015-8557: Shell injection in FontManager._get_nix_font_path.
(Closes: #802828)
.
[ Piotr Ożarowski ]
* debian/watch: use pypi.debian.net redirector
* install pygmentize's bash completion to
/usr/share/bash-completion/completions
Checksums-Sha1:
311a96841bc14352df7ba7f52c241c721c90de51 2294 pygments_2.0.1+dfsg-2.dsc
003ce7da545328111fa9ffb2db7a2f0927d0bf5d 7456
pygments_2.0.1+dfsg-2.debian.tar.xz
b5ffd22aa86383d3c18997dd78890432bebf8de1 224510
python-pygments-doc_2.0.1+dfsg-2_all.deb
85357a5d841a0aa43848271a52c89f4feb7a1546 479882
python-pygments_2.0.1+dfsg-2_all.deb
b6bc28bfaf42699e2861ec3454930c1788d6ecc8 477858
python3-pygments_2.0.1+dfsg-2_all.deb
Checksums-Sha256:
41cb05f7818a8d87f23588b882bedb8d777b5f9c2a251da94c17b36ad35c1578 2294
pygments_2.0.1+dfsg-2.dsc
f6088d11a0886aee1a2d526b6e13e69910d83d729007104a3070a587e104da71 7456
pygments_2.0.1+dfsg-2.debian.tar.xz
a1082d11d6a859da2a56ef8f316fa48a07ad08b5357525276e700202d781841d 224510
python-pygments-doc_2.0.1+dfsg-2_all.deb
d837e674d985ad6bf6cf1d8c8d3de9246500b4050e217f9429df5ed707f2137e 479882
python-pygments_2.0.1+dfsg-2_all.deb
453c3586cbd2eb364f9ff4cba1b0532cc97a6cdc15f9f5271a54abd8f3a54349 477858
python3-pygments_2.0.1+dfsg-2_all.deb
Files:
f0965962f0da64a9d95c79b10a0a1461 2294 python optional pygments_2.0.1+dfsg-2.dsc
bf972e726860a82ff0872716481bf908 7456 python optional
pygments_2.0.1+dfsg-2.debian.tar.xz
f2a6a65f8952277943026de73a265574 224510 doc extra
python-pygments-doc_2.0.1+dfsg-2_all.deb
9c35139f868ddfec2ebce0bd9bcb0daf 479882 python optional
python-pygments_2.0.1+dfsg-2_all.deb
fb5cb37cf93a40b5c1102461f4155705 477858 python optional
python3-pygments_2.0.1+dfsg-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWkp9GAAoJEK728aKnRXZFTh4QAJtjDJz44g9JqrFriUZskMXl
0yzMeQw1tupmS5VsaaN/PEVLvs9c36t8PsE6Wc/ljVS3OwLY88fCOi1H4ZnxsAWO
BmEeZJWM6tJrJ35KibE7ow4aDkKmqZu1ffh8V/XreXk0qKOeVPSOuMLteAJwKEHu
vlVvFhm8usnjlQBD2M0kAAFAZaKH2QxZ2NIFRXqBqSM3M6eC1/8uy+D69lgdNrk2
DgJftqfWVjlz4OvMMGjklBb0atxg788/uVnj6FHL3ldq8PhCTDFhRmejiHEeZe4f
IB/zY8SH4s/9SkhKWQBL9n3hQTVV4qEN3sUpxGkPKza0sD8P9a8Gjx9MSF+0xRaT
TVtI/UrnMoWBtX5q4tbthvwxLHmGO005MKKog1qLfKUWDt3N0gF24p401qI+QcJs
rzVxuGxkeX12sAWSRLpYzjd9QlCT4ucr6qpJQSRZjq8vxzjVErwrmrQidiLPi2WV
SB5grwYb+uRcZYVxb2/ewyzwrilYuSATYWg8KUav96s3bNJBqMh8H3TKKFi25TTP
wDXahH1eAPd3OMvHLzwenALWu7qfzDbFZ4+H8IMqUAzr6Yqm6uUB/vdn4EaJ2ArG
gMVV5hrd2G/yUs/ajl064StcVQ1LOSjtLondf9GkpnewP/h5988TdqoBSQjJcDaW
ZrQEm+SoV17WnSEWEgYu
=H1ap
-----END PGP SIGNATURE-----
--- End Message ---
