--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: team+python@tracker.debian.org
Please unblock package pygments
[ Reason ]
Fixes CVE-2021-20270: infinite loop in the SML lexer
[ Impact ]
CPU exhaustion via crafted SML files in services using pygments
[ Tests ]
There's a simple test case in the upstream bug that I used to
verify that -1 is vulnerable (100% CPU usage) and -2 fixes the
issue.
[ Risks ]
Low risk: minimal change addressing a targeted issue via a patch,
worst case we can unapply the patch if a regression is found.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock pygments/2.7.1+dfsg-2
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (200, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru pygments-2.7.1+dfsg/debian/changelog pygments-2.7.1+dfsg/debian/changelog
--- pygments-2.7.1+dfsg/debian/changelog 2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/changelog 2021-03-12 10:54:46.000000000 +0100
@@ -1,3 +1,15 @@
+pygments (2.7.1+dfsg-2) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Sandro Tosi ]
+ * Use the new Debian Python Team contact name and address
+
+ [ Emilio Pozuelo Monfort ]
+ * CVE-2021-20270: infinite loop in the SML lexer (Closes: #984664).
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org> Fri, 12 Mar 2021 10:54:46 +0100
+
pygments (2.7.1+dfsg-1) unstable; urgency=medium
[ Emmanuel Arias ]
diff -Nru pygments-2.7.1+dfsg/debian/control pygments-2.7.1+dfsg/debian/control
--- pygments-2.7.1+dfsg/debian/control 2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/control 2021-03-12 10:54:46.000000000 +0100
@@ -2,7 +2,7 @@
Section: python
Priority: optional
Maintainer: Piotr Ożarowski <piotr@debian.org>
-Uploaders: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
+Uploaders: Debian Python Team <team+python@tracker.debian.org>
Build-Depends: debhelper-compat (= 13)
Build-Depends-Indep: dh-python,
python3-all,
diff -Nru pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch
--- pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch 1970-01-01 01:00:00.000000000 +0100
+++ pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch 2021-03-12 10:54:46.000000000 +0100
@@ -0,0 +1,45 @@
+From f91804ff4772e3ab41f46e28d370f57898700333 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <georg@python.org>
+Date: Thu, 10 Dec 2020 08:19:21 +0100
+Subject: [PATCH] fixes #1625: infinite loop in SML lexer
+
+Reason was a lookahead-only pattern which was included in the state
+where the lookahead was transitioning to.
+---
+ CHANGES | 8 ++++++++
+ pygments/lexers/ml.py | 12 ++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/pygments/lexers/ml.py b/pygments/lexers/ml.py
+index 8ca8ce3eb..f2ac367c5 100644
+--- a/pygments/lexers/ml.py
++++ b/pygments/lexers/ml.py
+@@ -142,7 +142,7 @@ def id_callback(self, match):
+ (r'#\s+(%s)' % symbolicid_re, Name.Label),
+ # Some reserved words trigger a special, local lexer state change
+ (r'\b(datatype|abstype)\b(?!\')', Keyword.Reserved, 'dname'),
+- (r'(?=\b(exception)\b(?!\'))', Text, ('ename')),
++ (r'\b(exception)\b(?!\')', Keyword.Reserved, 'ename'),
+ (r'\b(functor|include|open|signature|structure)\b(?!\')',
+ Keyword.Reserved, 'sname'),
+ (r'\b(type|eqtype)\b(?!\')', Keyword.Reserved, 'tname'),
+@@ -315,15 +315,14 @@ def id_callback(self, match):
+ 'ename': [
+ include('whitespace'),
+
+- (r'(exception|and)\b(\s+)(%s)' % alphanumid_re,
++ (r'(and\b)(\s+)(%s)' % alphanumid_re,
+ bygroups(Keyword.Reserved, Text, Name.Class)),
+- (r'(exception|and)\b(\s*)(%s)' % symbolicid_re,
++ (r'(and\b)(\s*)(%s)' % symbolicid_re,
+ bygroups(Keyword.Reserved, Text, Name.Class)),
+ (r'\b(of)\b(?!\')', Keyword.Reserved),
++ (r'(%s)|(%s)' % (alphanumid_re, symbolicid_re), Name.Class),
+
+- include('breakout'),
+- include('core'),
+- (r'\S+', Error),
++ default('#pop'),
+ ],
+
+ 'datcon': [
diff -Nru pygments-2.7.1+dfsg/debian/patches/series pygments-2.7.1+dfsg/debian/patches/series
--- pygments-2.7.1+dfsg/debian/patches/series 2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/patches/series 2021-03-12 10:54:46.000000000 +0100
@@ -1,3 +1,4 @@
0002-add-g-parameter-to-pygmentize-man-page.patch
0003-docs-moved-to-python-pygments-doc-binary-package.patch
0003-Update-change-docs-theme-patch.patch
+CVE-2021-20270.patch
--- End Message ---