Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:pygments User: [email protected] Usertags: pu
[ Reason ] Fix Potential ReDoS vulnerabilities in pygments: CVE-2026-4539[1], CVE-2022-40896[2]. [ Impact ] A specially crafted input can trigger excessive CPU consumption due to inefficient regular expression processing in affected lexers, leading to a denial of service condition. [ Tests ] The vulnerable code path was tested with the proposed patch applied. [ Risks ] The changes are minimal and limited to the affected lexers. They are direct backports of the upstream fixes and do not modify unrelated functionality. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport the upstream fixes for CVE-2026-4539. [ Other info ] The merge request for unstable is open and awaiting review. @piotr has reviewed this backport and will sponsor it.
diff -Nru pygments-2.18.0+dfsg/debian/changelog pygments-2.18.0+dfsg/debian/changelog --- pygments-2.18.0+dfsg/debian/changelog 2025-01-13 14:44:43.000000000 +0000 +++ pygments-2.18.0+dfsg/debian/changelog 2026-06-01 17:35:31.000000000 +0000 @@ -1,3 +1,12 @@ +pygments (2.18.0+dfsg-2+deb13u1) trixie; urgency=medium + + * Team upload. + * d/patches: (Closes: #1132233) + - CVE-2026-4539: Import and backport upstream patch + (Potential ReDoS in AdlLexer) + + -- Matheus Polkorny <[email protected]> Mon, 01 Jun 2026 14:35:31 -0300 + pygments (2.18.0+dfsg-2) unstable; urgency=medium * Team upload. diff -Nru pygments-2.18.0+dfsg/debian/patches/CVE-2026-4539.patch pygments-2.18.0+dfsg/debian/patches/CVE-2026-4539.patch --- pygments-2.18.0+dfsg/debian/patches/CVE-2026-4539.patch 1970-01-01 00:00:00.000000000 +0000 +++ pygments-2.18.0+dfsg/debian/patches/CVE-2026-4539.patch 2026-06-01 17:35:31.000000000 +0000 @@ -0,0 +1,34 @@ +From: "zam." <[email protected]> +Date: Thu, 26 Mar 2026 04:48:59 +0700 +Subject: fix(lexers): prevent ReDoS in archetype lexer GUID and ID patterns + (#3064) + +Origin: upstream, https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc +--- + pygments/lexers/archetype.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py +index b019c4f..650c51b 100644 +--- a/pygments/lexers/archetype.py ++++ b/pygments/lexers/archetype.py +@@ -35,8 +35,8 @@ class AtomsLexer(RegexLexer): + (r'([ \t]*)(--.*)$', bygroups(Whitespace, Comment)), + ], + 'archetype_id': [ +- (r'([ \t]*)(([a-zA-Z]\w+(\.[a-zA-Z]\w+)*::)?[a-zA-Z]\w+(-[a-zA-Z]\w+){2}' +- r'\.\w+[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', ++ (r'([ \t]*)(([a-zA-Z]\w{1,100}(\.[a-zA-Z]\w{1,100})*::)?[a-zA-Z]\w{1,100}(-[a-zA-Z]\w{1,100}){2}' ++ r'\.\w{1,100}[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', + bygroups(Whitespace, Name.Decorator)), + ], + 'date_constraints': [ +@@ -293,7 +293,7 @@ class AdlLexer(AtomsLexer): + # numbers and version ids + (r'\d+(\.\d+)*', Literal), + # Guids +- (r'(\d|[a-fA-F])+(-(\d|[a-fA-F])+){3,}', Literal), ++ (r'[0-9a-fA-F]{1,36}(-[0-9a-fA-F]{1,36}){3,}', Literal), + (r'\w+', Name.Class), + (r'"', String, 'string'), + (r'=', Operator), diff -Nru pygments-2.18.0+dfsg/debian/patches/series pygments-2.18.0+dfsg/debian/patches/series --- pygments-2.18.0+dfsg/debian/patches/series 2025-01-13 14:41:33.000000000 +0000 +++ pygments-2.18.0+dfsg/debian/patches/series 2026-06-01 17:35:31.000000000 +0000 @@ -1,3 +1,4 @@ 0001-docs-moved-to-python-pygments-doc-binary-package.patch 0002-pygments.bashcomp-Remove-hashbang-within-bash-comple.patch 0003-Disable-lexer-examples-in-documentation.patch +CVE-2026-4539.patch
