pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/50661: py-pygments: fix for code-injection vulnerability (CVE-2015-8557)



>Number:         50661
>Category:       pkg
>Synopsis:       py-pygments: fix for code-injection vulnerability (CVE-2015-8557)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 16 18:20:00 +0000 2016
>Originator:     Rin Okuyama
>Release:        HEAD (2016-01-16)
>Organization:
Department of Physics, Tohoku University
>Environment:
NetBSD XXX 7.99.25 NetBSD 7.99.25 (XXX) #0: Fri Jan  1 05:20:59 JST 2016  rin@XXX:XXX amd64
>Description:
py-pygments package has code-injection vulnerability (CVE-2015-8557):
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557

The upstream provides fix for it. The attached patch includes changes
made by commits 6b4baae, 0036ab1, 3982887, and 91624f2. Avoid the shell
entirely when finding fonts, and misc bug fixes.

See more details:
  https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py

Please update the package accordingly.
>How-To-Repeat:
n/a
>Fix:
patch for pkgsrc:

====================
diff -Naru pkgsrc/textproc/py-pygments.orig/Makefile pkgsrc/textproc/py-pygments/Makefile
--- pkgsrc/textproc/py-pygments.orig/Makefile	2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/Makefile	2016-01-17 02:05:38.000000000 +0900
@@ -1,6 +1,7 @@
 # $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $
 
 DISTNAME=	Pygments-2.0.2
+PKGREVISION=	1
 PKGNAME=	${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=	textproc python
 MASTER_SITES=	http://pypi.python.org/packages/source/P/Pygments/
diff -Naru pkgsrc/textproc/py-pygments.orig/distinfo pkgsrc/textproc/py-pygments/distinfo
--- pkgsrc/textproc/py-pygments.orig/distinfo	2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/distinfo	2016-01-17 03:03:14.000000000 +0900
@@ -4,3 +4,4 @@
 RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8
 SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e
 Size (Pygments-2.0.2.tar.gz) = 3462280 bytes
+SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1
diff -Naru pkgsrc/textproc/py-pygments.orig/patches/patch-img.py pkgsrc/textproc/py-pygments/patches/patch-img.py
--- pkgsrc/textproc/py-pygments.orig/patches/patch-img.py	1970-01-01 09:00:00.000000000 +0900
+++ pkgsrc/textproc/py-pygments/patches/patch-img.py	2016-01-17 03:02:47.000000000 +0900
@@ -0,0 +1,63 @@
+$NetBSD$
+
+Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
+
+The following patch includes changes made by commits 6b4baae, 0036ab1,
+3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
+misc bug fixes.
+
+See more details:
+https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
+
+--- pygments/formatters/img.py.orig	2016-01-17 02:49:19.000000000 +0900
++++ pygments/formatters/img.py	2016-01-17 02:49:23.000000000 +0900
+@@ -5,7 +5,7 @@
+ 
+     Formatter for Pixmap output.
+ 
+-    :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
++    :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
+     :license: BSD, see LICENSE for details.
+ """
+ 
+@@ -15,6 +15,8 @@
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+     get_choice_opt, xrange
+ 
++import subprocess
++
+ # Import this carefully
+ try:
+     from PIL import Image, ImageDraw, ImageFont
+@@ -75,16 +77,13 @@
+             self._create_nix()
+ 
+     def _get_nix_font_path(self, name, style):
+-        try:
+-            from commands import getstatusoutput
+-        except ImportError:
+-            from subprocess import getstatusoutput
+-        exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+-                                    (name, style))
+-        if not exit:
+-            lines = out.splitlines()
++        proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++                                stdout=subprocess.PIPE, stderr=None)
++        stdout, _ = proc.communicate()
++        if proc.returncode == 0:
++            lines = stdout.splitlines()
+             if lines:
+-                path = lines[0].strip().strip(':')
++                path = lines[0].decode().strip().strip(':')
+                 return path
+ 
+     def _create_nix(self):
+@@ -197,7 +196,7 @@
+         bold and italic fonts will be generated.  This really should be a
+         monospace font to look sane.
+ 
+-        Default: "Bitstream Vera Sans Mono"
++        Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
+ 
+     `font_size`
+         The font size in points to be used.
====================

patch for pkg-vulnerabilities file (for Rev.1.6840):

====================
--- pkg-vulnerabilities.orig	2016-01-17 02:16:37.000000000 +0900
+++ pkg-vulnerabilities	2016-01-17 02:18:19.000000000 +0900
@@ -9634,7 +9634,7 @@
 typo3>=6.2<6.2.16		cross-site-scripting	http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/
 typo3>=6.2<6.2.16		cross-site-scripting	http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/
 typo3>=6.2<6.2.16		cross-site-scripting	http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/
-py{35,34,33,27}-pygments-[0-9]*	code-injection		https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
+py{35,34,33,27}-pygments<2.0.2nb1	code-injection		https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
 foomatic-filters>4		input-validation	https://www.debian.org/security/2015/dsa-3419
 foomatic-filters>4		remote-code-execution	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560
 #CHECKSUM SHA1 5d75b9e7d86e6661fd1a29c5dd7b096ae7d401af
====================



Home | Main Index | Thread Index | Old Index