Your message dated Fri, 12 Mar 2021 10:23:44 +0000
with message-id <[email protected]>
and subject line unblock pygments
has caused the Debian Bug report #985056,
regarding unblock: pygments/2.7.1+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985056
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Please unblock package pygments
[ Reason ]
Fixes CVE-2021-20270: infinite loop in the SML lexer
[ Impact ]
CPU exhaustion via crafted SML files in services using pygments
[ Tests ]
There's a simple test case in the upstream bug that I used to
verify that -1 is vulnerable (100% CPU usage) and -2 fixes the
issue.
[ Risks ]
Low risk: minimal change addressing a targeted issue via a patch,
worst case we can unapply the patch if a regression is found.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock pygments/2.7.1+dfsg-2
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (200, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru pygments-2.7.1+dfsg/debian/changelog
pygments-2.7.1+dfsg/debian/changelog
--- pygments-2.7.1+dfsg/debian/changelog 2020-10-09 00:54:38.000000000
+0200
+++ pygments-2.7.1+dfsg/debian/changelog 2021-03-12 10:54:46.000000000
+0100
@@ -1,3 +1,15 @@
+pygments (2.7.1+dfsg-2) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Sandro Tosi ]
+ * Use the new Debian Python Team contact name and address
+
+ [ Emilio Pozuelo Monfort ]
+ * CVE-2021-20270: infinite loop in the SML lexer (Closes: #984664).
+
+ -- Emilio Pozuelo Monfort <[email protected]> Fri, 12 Mar 2021 10:54:46 +0100
+
pygments (2.7.1+dfsg-1) unstable; urgency=medium
[ Emmanuel Arias ]
diff -Nru pygments-2.7.1+dfsg/debian/control pygments-2.7.1+dfsg/debian/control
--- pygments-2.7.1+dfsg/debian/control 2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/control 2021-03-12 10:54:46.000000000 +0100
@@ -2,7 +2,7 @@
Section: python
Priority: optional
Maintainer: Piotr Ożarowski <[email protected]>
-Uploaders: Debian Python Modules Team
<[email protected]>
+Uploaders: Debian Python Team <[email protected]>
Build-Depends: debhelper-compat (= 13)
Build-Depends-Indep: dh-python,
python3-all,
diff -Nru pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch
pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch
--- pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch 1970-01-01
01:00:00.000000000 +0100
+++ pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch 2021-03-12
10:54:46.000000000 +0100
@@ -0,0 +1,45 @@
+From f91804ff4772e3ab41f46e28d370f57898700333 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <[email protected]>
+Date: Thu, 10 Dec 2020 08:19:21 +0100
+Subject: [PATCH] fixes #1625: infinite loop in SML lexer
+
+Reason was a lookahead-only pattern which was included in the state
+where the lookahead was transitioning to.
+---
+ CHANGES | 8 ++++++++
+ pygments/lexers/ml.py | 12 ++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/pygments/lexers/ml.py b/pygments/lexers/ml.py
+index 8ca8ce3eb..f2ac367c5 100644
+--- a/pygments/lexers/ml.py
++++ b/pygments/lexers/ml.py
+@@ -142,7 +142,7 @@ def id_callback(self, match):
+ (r'#\s+(%s)' % symbolicid_re, Name.Label),
+ # Some reserved words trigger a special, local lexer state change
+ (r'\b(datatype|abstype)\b(?!\')', Keyword.Reserved, 'dname'),
+- (r'(?=\b(exception)\b(?!\'))', Text, ('ename')),
++ (r'\b(exception)\b(?!\')', Keyword.Reserved, 'ename'),
+ (r'\b(functor|include|open|signature|structure)\b(?!\')',
+ Keyword.Reserved, 'sname'),
+ (r'\b(type|eqtype)\b(?!\')', Keyword.Reserved, 'tname'),
+@@ -315,15 +315,14 @@ def id_callback(self, match):
+ 'ename': [
+ include('whitespace'),
+
+- (r'(exception|and)\b(\s+)(%s)' % alphanumid_re,
++ (r'(and\b)(\s+)(%s)' % alphanumid_re,
+ bygroups(Keyword.Reserved, Text, Name.Class)),
+- (r'(exception|and)\b(\s*)(%s)' % symbolicid_re,
++ (r'(and\b)(\s*)(%s)' % symbolicid_re,
+ bygroups(Keyword.Reserved, Text, Name.Class)),
+ (r'\b(of)\b(?!\')', Keyword.Reserved),
++ (r'(%s)|(%s)' % (alphanumid_re, symbolicid_re), Name.Class),
+
+- include('breakout'),
+- include('core'),
+- (r'\S+', Error),
++ default('#pop'),
+ ],
+
+ 'datcon': [
diff -Nru pygments-2.7.1+dfsg/debian/patches/series
pygments-2.7.1+dfsg/debian/patches/series
--- pygments-2.7.1+dfsg/debian/patches/series 2020-10-09 00:54:38.000000000
+0200
+++ pygments-2.7.1+dfsg/debian/patches/series 2021-03-12 10:54:46.000000000
+0100
@@ -1,3 +1,4 @@
0002-add-g-parameter-to-pygmentize-man-page.patch
0003-docs-moved-to-python-pygments-doc-binary-package.patch
0003-Update-change-docs-theme-patch.patch
+CVE-2021-20270.patch
--- End Message ---
--- Begin Message ---
Unblocked pygments.
--- End Message ---
