Your message dated Fri, 15 Jan 2016 10:17:33 +0000
with message-id <[email protected]>
and subject line Bug#802828: fixed in pygments 2.0.1+dfsg-1.1+deb8u1
has caused the Debian Bug report #802828,
regarding python-pygments: CVE-2015-8557: shell injection in
FontManager._get_nix_font_path
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
802828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802828
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-pygments
Version: 2.0.1+dfsg-1.1
Tags: security
Forwarded: https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501
Javantea reported in <http://seclists.org/fulldisclosure/2015/Oct/4>:
An unsafe use of string concatenation in a shell string occurs in
FontManager. If the developer allows the attacker to choose the font
and outputs an image, the attacker can execute any shell command on the
remote system. The name variable injected comes from the constructor of
FontManager, which is invoked by ImageFormatter from options.
pygments/formatters/img.py:82
def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Source: pygments
Source-Version: 2.0.1+dfsg-1.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
pygments, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated pygments package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Jan 2016 16:50:12 +0100
Source: pygments
Binary: python-pygments python3-pygments python-pygments-doc
Architecture: all source
Version: 2.0.1+dfsg-1.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Piotr Ożarowski <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 802828
Description:
python-pygments - syntax highlighting package written in Python
python-pygments-doc - documentation for the Pygments
python3-pygments - syntax highlighting package written in Python 3
Changes:
pygments (2.0.1+dfsg-1.1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-8557.patch patch.
CVE-2015-8557: Shell injection in FontManager._get_nix_font_path.
(Closes: #802828)
Checksums-Sha1:
307ca9f803febd3e329f275a782219950b5bc89d 2330
pygments_2.0.1+dfsg-1.1+deb8u1.dsc
4d697edf6fa3f9c5bd58be4554fa01679f35b471 936249 pygments_2.0.1+dfsg.orig.tar.gz
74ceb3ce685b58851a3048f24326a726faae2bca 7360
pygments_2.0.1+dfsg-1.1+deb8u1.debian.tar.xz
287e32b9b981a0bdf66aee8bfc806ff17465b0ef 481588
python-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
7a07ecddcc7886b7326acc72cde28081633e0683 479518
python3-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
09314394692a82253b46273561ba5aac0f61013b 227684
python-pygments-doc_2.0.1+dfsg-1.1+deb8u1_all.deb
Checksums-Sha256:
251e9cfd42ccea8dcd64d43b25c3fbab4ba19d6b2df5bb4d71b325c401912afd 2330
pygments_2.0.1+dfsg-1.1+deb8u1.dsc
44eee854675525dbf251373a495a33de46321aecd907466372b75e8233511bb4 936249
pygments_2.0.1+dfsg.orig.tar.gz
68955ca8af67ef7b77d60782628a366502d45ba2064302fb30bd830dd54eb73c 7360
pygments_2.0.1+dfsg-1.1+deb8u1.debian.tar.xz
0a40170f19081f2a93f36698ba283901c487aaefa31934c7a81919eb9e864d99 481588
python-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
da2a6ee0fe41e1589915f5fa729c16ecf93099249b3983de8773d9c4460b0bbc 479518
python3-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
d9bd30468185a46b6c6a817e2d27d511f3b5ff97f17daebbc9286183a393fcac 227684
python-pygments-doc_2.0.1+dfsg-1.1+deb8u1_all.deb
Files:
53cc7be5ba182b8140040a8d796d9f36 2330 python optional
pygments_2.0.1+dfsg-1.1+deb8u1.dsc
81a7b53bc120eee6b22a27325582f000 936249 python optional
pygments_2.0.1+dfsg.orig.tar.gz
eb01a9be5536f54cac6f319c51eeedae 7360 python optional
pygments_2.0.1+dfsg-1.1+deb8u1.debian.tar.xz
9d7351c793da6d9df04a7258e23f8fb1 481588 python optional
python-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
ddb867d3c9b80f695e536fdc22791b4e 479518 python optional
python3-pygments_2.0.1+dfsg-1.1+deb8u1_all.deb
4ad6f834ca0b06d81e02d169f373d868 227684 doc extra
python-pygments-doc_2.0.1+dfsg-1.1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWkn8DAAoJEAVMuPMTQ89EUmQQAJyzsqnxuYRVWkuk+/8AEwG1
Iy1kSV2sQWsAG9oFoPb1r4AukSLLxoFI0624zbHekeKOyaMvlswS380+28fnwWAD
A1lybrjI+MxP5U1FUz3jpsHiKdXj3MLGu9r+L/1r6mLqErY0jmMgT18DmjiB7ZXw
M/eOQ/MfXjTk/3IqlrVfe96XcQl8CZ/ymnJE73/7TM9oh4W9SqzFAespcC6vX0to
zCk1W3nQzz0YhiUQs4940ZFz2S2VOWtCAQhIy5rXpkUEEaGC1xPRu5lwWk4u4337
T/Y61EwqRDghODelVQ45oqn5McrmY7lCfvmHzFnztWSCnRUVnmEBCqmToxNBLmaU
w/9rYn01OAmEq6b6X+VK2MCqv9fIyw1HUXEJG8Eqc8GPJLS/b8NKF+yHkT8zk1Tq
5wRxVSi4f48HOQ7gxRwgG7txn8d/ORCQ8DhXismC4rcPH7cefSBe+JY7S0+jNaaP
oFB16VR+LDzT06pq3ldVpaS46zybTdJOeSslzqRV+a5LnB2ApHhfLI37IR1du0Ah
8ktK+cJZCnY2hl1UHXvGm1EEFDhSykiSWyQ/8kABfUanXBRr8Bxs9t01UYMkKQ+G
AyfwOr9hXmXivSs9uSal09LJPy/nzby2PFMfQVD82o7JCa8/N93uUZCO/Oe3mjAQ
W9FCZl0wrBMu9mRiVMb9
=sMp4
-----END PGP SIGNATURE-----
--- End Message ---
