pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
pkg/50661: py-pygments: fix for code-injection vulnerability (CVE-2015-8557)
>Number: 50661
>Category: pkg
>Synopsis: py-pygments: fix for code-injection vulnerability (CVE-2015-8557)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jan 16 18:20:00 +0000 2016
>Originator: Rin Okuyama
>Release: HEAD (2016-01-16)
>Organization:
Department of Physics, Tohoku University
>Environment:
NetBSD XXX 7.99.25 NetBSD 7.99.25 (XXX) #0: Fri Jan 1 05:20:59 JST 2016 rin@XXX:XXX amd64
>Description:
py-pygments package has code-injection vulnerability (CVE-2015-8557):
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
The upstream provides fix for it. The attached patch includes changes
made by commits 6b4baae, 0036ab1, 3982887, and 91624f2. Avoid the shell
entirely when finding fonts, and misc bug fixes.
See more details:
https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
Please update the package accordingly.
>How-To-Repeat:
n/a
>Fix:
patch for pkgsrc:
====================
diff -Naru pkgsrc/textproc/py-pygments.orig/Makefile pkgsrc/textproc/py-pygments/Makefile
--- pkgsrc/textproc/py-pygments.orig/Makefile 2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/Makefile 2016-01-17 02:05:38.000000000 +0900
@@ -1,6 +1,7 @@
# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $
DISTNAME= Pygments-2.0.2
+PKGREVISION= 1
PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl}
CATEGORIES= textproc python
MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/
diff -Naru pkgsrc/textproc/py-pygments.orig/distinfo pkgsrc/textproc/py-pygments/distinfo
--- pkgsrc/textproc/py-pygments.orig/distinfo 2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/distinfo 2016-01-17 03:03:14.000000000 +0900
@@ -4,3 +4,4 @@
RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8
SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e
Size (Pygments-2.0.2.tar.gz) = 3462280 bytes
+SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1
diff -Naru pkgsrc/textproc/py-pygments.orig/patches/patch-img.py pkgsrc/textproc/py-pygments/patches/patch-img.py
--- pkgsrc/textproc/py-pygments.orig/patches/patch-img.py 1970-01-01 09:00:00.000000000 +0900
+++ pkgsrc/textproc/py-pygments/patches/patch-img.py 2016-01-17 03:02:47.000000000 +0900
@@ -0,0 +1,63 @@
+$NetBSD$
+
+Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
+
+The following patch includes changes made by commits 6b4baae, 0036ab1,
+3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
+misc bug fixes.
+
+See more details:
+https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
+
+--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900
++++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900
+@@ -5,7 +5,7 @@
+
+ Formatter for Pixmap output.
+
+- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
++ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
+ :license: BSD, see LICENSE for details.
+ """
+
+@@ -15,6 +15,8 @@
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+ get_choice_opt, xrange
+
++import subprocess
++
+ # Import this carefully
+ try:
+ from PIL import Image, ImageDraw, ImageFont
+@@ -75,16 +77,13 @@
+ self._create_nix()
+
+ def _get_nix_font_path(self, name, style):
+- try:
+- from commands import getstatusoutput
+- except ImportError:
+- from subprocess import getstatusoutput
+- exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+- (name, style))
+- if not exit:
+- lines = out.splitlines()
++ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++ stdout=subprocess.PIPE, stderr=None)
++ stdout, _ = proc.communicate()
++ if proc.returncode == 0:
++ lines = stdout.splitlines()
+ if lines:
+- path = lines[0].strip().strip(':')
++ path = lines[0].decode().strip().strip(':')
+ return path
+
+ def _create_nix(self):
+@@ -197,7 +196,7 @@
+ bold and italic fonts will be generated. This really should be a
+ monospace font to look sane.
+
+- Default: "Bitstream Vera Sans Mono"
++ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
+
+ `font_size`
+ The font size in points to be used.
====================
patch for pkg-vulnerabilities file (for Rev.1.6840):
====================
--- pkg-vulnerabilities.orig 2016-01-17 02:16:37.000000000 +0900
+++ pkg-vulnerabilities 2016-01-17 02:18:19.000000000 +0900
@@ -9634,7 +9634,7 @@
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/
-py{35,34,33,27}-pygments-[0-9]* code-injection https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
+py{35,34,33,27}-pygments<2.0.2nb1 code-injection https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
foomatic-filters>4 input-validation https://www.debian.org/security/2015/dsa-3419
foomatic-filters>4 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560
#CHECKSUM SHA1 5d75b9e7d86e6661fd1a29c5dd7b096ae7d401af
====================
Home |
Main Index |
Thread Index |
Old Index