Your message dated Fri, 15 Jan 2016 10:18:28 +0000
with message-id <[email protected]>
and subject line Bug#802828: fixed in pygments 1.5+dfsg-1+deb7u1
has caused the Debian Bug report #802828,
regarding python-pygments: CVE-2015-8557: shell injection in
FontManager._get_nix_font_path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
802828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802828
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-pygments
Version: 2.0.1+dfsg-1.1
Tags: security
Forwarded: https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501
Javantea reported in <http://seclists.org/fulldisclosure/2015/Oct/4>:
An unsafe use of string concatenation in a shell string occurs in
FontManager. If the developer allows the attacker to choose the font
and outputs an image, the attacker can execute any shell command on the
remote system. The name variable injected comes from the constructor of
FontManager, which is invoked by ImageFormatter from options.
pygments/formatters/img.py:82
def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: pygments
Source-Version: 1.5+dfsg-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
pygments, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pygments package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jan 2016 16:42:08 +0100
Source: pygments
Binary: python-pygments python3-pygments
Architecture: source all
Version: 1.5+dfsg-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
python-pygments - syntax highlighting package written in Python
python3-pygments - syntax highlighting package written in Python 3
Closes: 802828
Changes:
pygments (1.5+dfsg-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-8557.patch patch.
CVE-2015-8557: Shell injection in FontManager._get_nix_font_path.
(Closes: #802828)
Checksums-Sha1:
a4c0ab3c61aea863eaf1d8a14578ae131436ce2a 2190 pygments_1.5+dfsg-1+deb7u1.dsc
af3f1b8792727878500a5fd19e13be7445fbe3c3 690281 pygments_1.5+dfsg.orig.tar.gz
80a91d62c0cf3e6c621b9310a7f91df222a1a40d 7091
pygments_1.5+dfsg-1+deb7u1.debian.tar.gz
f069727b9bef5d52947846085c1d8040365b45d5 456340
python-pygments_1.5+dfsg-1+deb7u1_all.deb
fe8e6224ba08c6c45bc3e371e85252ff4ba7b363 361820
python3-pygments_1.5+dfsg-1+deb7u1_all.deb
Checksums-Sha256:
c8595d8750f96a047245de53014fe9a46566b58ea2f335ff7af14e66734bd02e 2190
pygments_1.5+dfsg-1+deb7u1.dsc
311fba59f537c3ea67405431f0b68fb7e5fd15e461497d14a970cb7bf7c79542 690281
pygments_1.5+dfsg.orig.tar.gz
1efa84f8b74fefa10a0e10eaafe150835fdfb1779483f8d224614b9fa1b09360 7091
pygments_1.5+dfsg-1+deb7u1.debian.tar.gz
74b0c4a38fc5931f355cfba53eb93286f866a1d5d9b8e87c02696e6aef1366c8 456340
python-pygments_1.5+dfsg-1+deb7u1_all.deb
da95b690e2976e740158474d5d31376b76bcc9b60f30ec3a275b9ebd9233a36c 361820
python3-pygments_1.5+dfsg-1+deb7u1_all.deb
Files:
319cb6cb708019fd01506e7af52e3265 2190 python optional
pygments_1.5+dfsg-1+deb7u1.dsc
d5399b752cbac2435d0cd0929bf68bed 690281 python optional
pygments_1.5+dfsg.orig.tar.gz
49255985f80b804f1915ff5a8ec7f33d 7091 python optional
pygments_1.5+dfsg-1+deb7u1.debian.tar.gz
0ebc12cc7f2e00210eae10bee2e5943f 456340 python optional
python-pygments_1.5+dfsg-1+deb7u1_all.deb
6fa52f01a6b859537d02d54d15f6e0aa 361820 python optional
python3-pygments_1.5+dfsg-1+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWknxdAAoJEAVMuPMTQ89EO+8P/1t8ZGHKYGOYN1SUTp6YaHiY
mPB6f2yfJSA+9/NwnNkYxbrAc8sVj3K6CxoJSu/GLKIqiZrlQuhsiNnuMb1PBJm8
PgO9ltxPN/DHh192BXJ1bie9a/CD6Na51ZiUDc9zILztQh2RhHOGBiFBG2E9jO3U
hTS+oy8p3mY3LTK8YVzLa5mfB6f/Av4eHtG3PzZHQgR5DVdnwVfO9aDVDMz9cDSe
/6yU0XIGzmONcUEb7KzkDOexeCjHhh4zmHQs/pNQIxN+Q/pNV9OWaQs0d67CWiDn
Rq7iJjaWzKb7TNMqZ6AAJppZEtXgkUYZ2uvKKyQY4n9zE70b+CzpvU2scztSPWjc
xtxniBTYcpT5qL5g2GCOHmMvIEQVhtf9U7W7j82E3fCnTwosmp1bl6jrrMUmeryc
BLXGkRsUAqYQahALD/vpEsMPLREgmhf0+WGgUrb23LjV3OVCP09+9/gHBYua/gqh
EjsASWCHbvN54bXfs7AzIT1SEMnqYuMIihv/PixOWZUC+BjQ/AxLXlleGjj6VO/c
ZMtC0u45xIQrcRBbBJVv7pzlQbiFZIQM3ubC3FwWvqfjoHK9h+SuN42mq+drYkxk
hzEuMQ4a4RuERAO0qy4QlKzS/sb3hc53nMFqeBlDHG3IbjhcGzwLW+xoi7Yqs7n8
miEq3dLJVp5HNCuyR/VF
=k1H/
-----END PGP SIGNATURE-----
--- End Message ---
