Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:pygments User: [email protected] Usertags: pu bsp-2026-05-07-brazil
[ Reason ] Fix Potential ReDoS vulnerabilities in pygments: CVE-2026-4539[1], CVE-2022-40896[2]. [ Impact ] A specially crafted input can trigger excessive CPU consumption due to inefficient regular expression processing in affected lexers, leading to a denial of service condition. [ Tests ] The vulnerable code path was tested with the proposed patch applied. [ Risks ] The changes are minimal and limited to the affected lexers. They are direct backports of the upstream fixes and do not modify unrelated functionality. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Backport the upstream fixes for: CVE-2022-40896: ReDoS in SmithyLexer. CVE-2026-4539: ReDoS in AdlLexer. [ Other info ] The merge request for unstable is open and awaiting review. @piotr has reviewed this backport and will sponsor it. [1] https://security-tracker.debian.org/tracker/CVE-2026-4539 [2] https://security-tracker.debian.org/tracker/CVE-2022-40896
diff -Nru pygments-2.14.0+dfsg/debian/changelog pygments-2.14.0+dfsg/debian/changelog --- pygments-2.14.0+dfsg/debian/changelog 2023-01-07 09:12:03.000000000 +0000 +++ pygments-2.14.0+dfsg/debian/changelog 2026-05-29 17:56:35.000000000 +0000 @@ -1,3 +1,14 @@ +pygments (2.14.0+dfsg-1+deb12u1) bookworm; urgency=medium + + * Team upload. + * d/patches: (Closes: #1132233) + - CVE-2026-4539: Import and backport upstream patch + (Potential ReDoS in SmithyLexer.) + - CVE-2022-40896: Import and backport upstream patch + (Potential ReDoS in AdlLexer) + + -- Matheus Polkorny <[email protected]> Fri, 29 May 2026 14:56:35 -0300 + pygments (2.14.0+dfsg-1) unstable; urgency=medium * Team upload diff -Nru pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-1.patch pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-1.patch --- pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-1.patch 2026-05-29 17:56:35.000000000 +0000 @@ -0,0 +1,29 @@ +From: Jean Abou Samra <[email protected]> +Date: Wed, 1 Mar 2023 00:58:35 +0100 +Subject: [PATCH 1/2] SQL+Jinja: use a simpler regex in analyse_text + +Origin: upstream, https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 + +Fixes catastrophic backtracking + +Fixes #2355 +--- + pygments/lexers/templates.py | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py +index 1fcf708..1066294 100644 +--- a/pygments/lexers/templates.py ++++ b/pygments/lexers/templates.py +@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer): + if re.search(r'\{\{\s*source\(.*\)\s*\}\}', text): + rv += 0.25 + # Jinja macro +- if re.search( +- r'\{%-?\s*macro \w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}', +- text, +- re.S, +- ): ++ if re.search(r'\{%-?\s*macro \w+\(.*\)\s*-?%\}', text): + rv += 0.15 + return rv diff -Nru pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-2.patch pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-2.patch --- pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ pygments-2.14.0+dfsg/debian/patches/CVE-2022-40896-2.patch 2026-05-29 17:56:35.000000000 +0000 @@ -0,0 +1,115 @@ +From: Jean Abou-Samra <[email protected]> +Date: Mon, 17 Apr 2023 20:14:42 +0200 +Subject: [PATCH 2/2] Improve Java properties lexer (#2404) + +Origin: upstream, https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 + +Use special lexer rules for escapes; fixes catastrophic backtracking, +and highlights them too. + +Fixes #2356 +--- + pygments/lexers/configs.py | 52 ++++++++++++++-------- + .../properties/test_escaped_space_in_value.txt | 4 +- + .../properties/test_just_key_with_space.txt | 4 +- + 3 files changed, 40 insertions(+), 20 deletions(-) + +diff --git a/pygments/lexers/configs.py b/pygments/lexers/configs.py +index e04c722..38bc853 100644 +--- a/pygments/lexers/configs.py ++++ b/pygments/lexers/configs.py +@@ -129,26 +129,42 @@ class PropertiesLexer(RegexLexer): + + tokens = { + 'root': [ +- (r'\s+', Whitespace), ++ # comments + (r'[!#].*|/{2}.*', Comment.Single), +- # search for first separator +- (r'([^\\\n]|\\.)*?(?=[ \f\t=:])', Name.Attribute, "separator"), +- # empty key +- (r'.+?$', Name.Attribute), ++ # ending a comment or whitespace-only line ++ (r'\n', Whitespace), ++ # eat whitespace at the beginning of a line ++ (r'^[^\S\n]+', Whitespace), ++ # start lexing a key ++ default('key'), + ], +- 'separator': [ +- # search for line continuation escape +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)$', +- bygroups(Whitespace, Operator, Whitespace, String, Text), "value", "#pop"), +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*)', +- bygroups(Whitespace, Operator, Whitespace, String), "#pop"), ++ 'key': [ ++ # non-escaped key characters ++ (r'[^\\:=\s]+', Name.Attribute), ++ # escapes ++ include('escapes'), ++ # separator is the first non-escaped whitespace or colon or '=' on the line; ++ # if it's whitespace, = and : are gobbled after it ++ (r'([^\S\n]*)([:=])([^\S\n]*)', ++ bygroups(Whitespace, Operator, Whitespace), ++ ('#pop', 'value')), ++ (r'[^\S\n]+', Whitespace, ('#pop', 'value')), ++ # maybe we got no value after all ++ (r'\n', Whitespace, '#pop'), + ], +- 'value': [ # line continuation +- (r'\s+', Whitespace), +- # search for line continuation escape +- (r'(\s*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)([ \t]*)', +- bygroups(Whitespace, String, Text, Whitespace)), +- (r'.*$', String, "#pop"), ++ 'value': [ ++ # non-escaped value characters ++ (r'[^\\\n]+', String), ++ # escapes ++ include('escapes'), ++ # end the value on an unescaped newline ++ (r'\n', Whitespace, '#pop'), ++ ], ++ 'escapes': [ ++ # line continuations; these gobble whitespace at the beginning of the next line ++ (r'(\\\n)([^\S\n]*)', bygroups(String.Escape, Whitespace)), ++ # other escapes ++ (r'\\(.|\n)', String.Escape), + ], + } + +@@ -1154,7 +1170,7 @@ class UnixConfigLexer(RegexLexer): + * ``/etc/group`` + * ``/etc/passwd`` + * ``/etc/shadow`` +- ++ + .. versionadded:: 2.12 + """ + +diff --git a/tests/snippets/properties/test_escaped_space_in_value.txt b/tests/snippets/properties/test_escaped_space_in_value.txt +index f76507f..44772d8 100644 +--- a/tests/snippets/properties/test_escaped_space_in_value.txt ++++ b/tests/snippets/properties/test_escaped_space_in_value.txt +@@ -6,5 +6,7 @@ key = doubleword\ value + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'doubleword\\ value' Literal.String ++'doubleword' Literal.String ++'\\ ' Literal.String.Escape ++'value' Literal.String + '\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_just_key_with_space.txt b/tests/snippets/properties/test_just_key_with_space.txt +index 660c37c..833fe40 100644 +--- a/tests/snippets/properties/test_just_key_with_space.txt ++++ b/tests/snippets/properties/test_just_key_with_space.txt +@@ -2,5 +2,7 @@ + just\ key + + ---tokens--- +-'just\\ key' Name.Attribute ++'just' Name.Attribute ++'\\ ' Literal.String.Escape ++'key' Name.Attribute + '\n' Text.Whitespace diff -Nru pygments-2.14.0+dfsg/debian/patches/CVE-2026-4539.patch pygments-2.14.0+dfsg/debian/patches/CVE-2026-4539.patch --- pygments-2.14.0+dfsg/debian/patches/CVE-2026-4539.patch 1970-01-01 00:00:00.000000000 +0000 +++ pygments-2.14.0+dfsg/debian/patches/CVE-2026-4539.patch 2026-05-29 17:56:35.000000000 +0000 @@ -0,0 +1,34 @@ +From: "zam." <[email protected]> +Date: Thu, 26 Mar 2026 04:48:59 +0700 +Subject: fix(lexers): prevent ReDoS in archetype lexer GUID and ID patterns + (#3064) + +Origin: upstream, https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc +--- + pygments/lexers/archetype.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py +index 1496d22..788b141 100644 +--- a/pygments/lexers/archetype.py ++++ b/pygments/lexers/archetype.py +@@ -39,8 +39,8 @@ class AtomsLexer(RegexLexer): + (r'([ \t]*)(--.*)$', bygroups(Whitespace, Comment)), + ], + 'archetype_id': [ +- (r'([ \t]*)(([a-zA-Z]\w+(\.[a-zA-Z]\w+)*::)?[a-zA-Z]\w+(-[a-zA-Z]\w+){2}' +- r'\.\w+[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', ++ (r'([ \t]*)(([a-zA-Z]\w{1,100}(\.[a-zA-Z]\w{1,100})*::)?[a-zA-Z]\w{1,100}(-[a-zA-Z]\w{1,100}){2}' ++ r'\.\w{1,100}[\w-]*\.v\d+(\.\d+){,2}((-[a-z]+)(\.\d+)?)?)', + bygroups(Whitespace, Name.Decorator)), + ], + 'date_constraints': [ +@@ -297,7 +297,7 @@ class AdlLexer(AtomsLexer): + # numbers and version ids + (r'\d+(\.\d+)*', Literal), + # Guids +- (r'(\d|[a-fA-F])+(-(\d|[a-fA-F])+){3,}', Literal), ++ (r'[0-9a-fA-F]{1,36}(-[0-9a-fA-F]{1,36}){3,}', Literal), + (r'\w+', Name.Class), + (r'"', String, 'string'), + (r'=', Operator), diff -Nru pygments-2.14.0+dfsg/debian/patches/series pygments-2.14.0+dfsg/debian/patches/series --- pygments-2.14.0+dfsg/debian/patches/series 2022-11-21 17:39:36.000000000 +0000 +++ pygments-2.14.0+dfsg/debian/patches/series 2026-05-29 17:56:35.000000000 +0000 @@ -1,2 +1,5 @@ 0001-docs-moved-to-python-pygments-doc-binary-package.patch 0002-pygments.bashcomp-Remove-hashbang-within-bash-comple.patch +CVE-2022-40896-1.patch +CVE-2022-40896-2.patch +CVE-2026-4539.patch
