--- Begin Message ---
Subject: |
python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 |
Date: |
Wed, 24 Mar 2021 00:20:14 +0100 |
User-agent: |
Evolution 3.34.2 |
CVE-2021-20270 23.03.21 18:15
An infinite loop in SMLLexer in Pygments
versions 1.5 to 2.7.3 may lead to denial of service when performing
syntax highlighting of a Standard ML (SML) source file, as demonstrated
by input that only contains the "exception" keyword.
Upstream version 2.8.1 is not affected.
Because this package would cause 456 dependents to be rebuilt, I
prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to
staging once master is merged in it so that .guix-authorizations
contains my key. I also attached the patch (trivial).
Opening this bug to track when this lands into master
0001-gnu-python-pygments-Update-to-2.8.1-security-fixes.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47351: python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270 |
Date: |
Tue, 22 Mar 2022 22:31:58 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Léo Le Bouter <lle-bout@zaclys.net> writes:
> CVE-2021-20270 23.03.21 18:15
> An infinite loop in SMLLexer in Pygments
> versions 1.5 to 2.7.3 may lead to denial of service when performing
> syntax highlighting of a Standard ML (SML) source file, as demonstrated
> by input that only contains the "exception" keyword.
>
> Upstream version 2.8.1 is not affected.
Which is now the current version packaged in Guix.
Thanks for the report!
Closing.
Maxim
--- End Message ---