Bug#985056: marked as done (unblock: pygments/2.7.1+dfsg-2)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#985056: marked as done (unblock: pygments/2.7.1+dfsg-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 12 Mar 2021 10:27:05 +0000
Message-id: <[🔎] handler.985056.D985056.161554462627943.ackdone@bugs.debian.org>
Reply-to: 985056@bugs.debian.org
References: <E1lKexM-0005os-A0@respighi.debian.org> <[🔎] 161554423137.148382.14342607414711800022.reportbug@andromeda>

Your message dated Fri, 12 Mar 2021 10:23:44 +0000
with message-id <E1lKexM-0005os-A0@respighi.debian.org>
and subject line unblock pygments
has caused the Debian Bug report #985056,
regarding unblock: pygments/2.7.1+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985056
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pygments/2.7.1+dfsg-2
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 12 Mar 2021 11:17:11 +0100
Message-id: <[🔎] 161554423137.148382.14342607414711800022.reportbug@andromeda>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: team+python@tracker.debian.org

Please unblock package pygments

[ Reason ]
Fixes CVE-2021-20270: infinite loop in the SML lexer

[ Impact ]
CPU exhaustion via crafted SML files in services using pygments

[ Tests ]
There's a simple test case in the upstream bug that I used to
verify that -1 is vulnerable (100% CPU usage) and -2 fixes the
issue.

[ Risks ]
Low risk: minimal change addressing a targeted issue via a patch,
worst case we can unapply the patch if a regression is found.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock pygments/2.7.1+dfsg-2

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (200, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-3-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru pygments-2.7.1+dfsg/debian/changelog pygments-2.7.1+dfsg/debian/changelog
--- pygments-2.7.1+dfsg/debian/changelog	2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/changelog	2021-03-12 10:54:46.000000000 +0100
@@ -1,3 +1,15 @@
+pygments (2.7.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Sandro Tosi ]
+  * Use the new Debian Python Team contact name and address
+
+  [ Emilio Pozuelo Monfort ]
+  * CVE-2021-20270: infinite loop in the SML lexer (Closes: #984664).
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Fri, 12 Mar 2021 10:54:46 +0100
+
 pygments (2.7.1+dfsg-1) unstable; urgency=medium
 
   [ Emmanuel Arias ]
diff -Nru pygments-2.7.1+dfsg/debian/control pygments-2.7.1+dfsg/debian/control
--- pygments-2.7.1+dfsg/debian/control	2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/control	2021-03-12 10:54:46.000000000 +0100
@@ -2,7 +2,7 @@
 Section: python
 Priority: optional
 Maintainer: Piotr Ożarowski <piotr@debian.org>
-Uploaders: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
+Uploaders: Debian Python Team <team+python@tracker.debian.org>
 Build-Depends: debhelper-compat (= 13)
 Build-Depends-Indep: dh-python,
                      python3-all,
diff -Nru pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch
--- pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch	1970-01-01 01:00:00.000000000 +0100
+++ pygments-2.7.1+dfsg/debian/patches/CVE-2021-20270.patch	2021-03-12 10:54:46.000000000 +0100
@@ -0,0 +1,45 @@
+From f91804ff4772e3ab41f46e28d370f57898700333 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <georg@python.org>
+Date: Thu, 10 Dec 2020 08:19:21 +0100
+Subject: [PATCH] fixes #1625: infinite loop in SML lexer
+
+Reason was a lookahead-only pattern which was included in the state
+where the lookahead was transitioning to.
+---
+ CHANGES               |  8 ++++++++
+ pygments/lexers/ml.py | 12 ++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/pygments/lexers/ml.py b/pygments/lexers/ml.py
+index 8ca8ce3eb..f2ac367c5 100644
+--- a/pygments/lexers/ml.py
++++ b/pygments/lexers/ml.py
+@@ -142,7 +142,7 @@ def id_callback(self, match):
+             (r'#\s+(%s)' % symbolicid_re, Name.Label),
+             # Some reserved words trigger a special, local lexer state change
+             (r'\b(datatype|abstype)\b(?!\')', Keyword.Reserved, 'dname'),
+-            (r'(?=\b(exception)\b(?!\'))', Text, ('ename')),
++            (r'\b(exception)\b(?!\')', Keyword.Reserved, 'ename'),
+             (r'\b(functor|include|open|signature|structure)\b(?!\')',
+              Keyword.Reserved, 'sname'),
+             (r'\b(type|eqtype)\b(?!\')', Keyword.Reserved, 'tname'),
+@@ -315,15 +315,14 @@ def id_callback(self, match):
+         'ename': [
+             include('whitespace'),
+ 
+-            (r'(exception|and)\b(\s+)(%s)' % alphanumid_re,
++            (r'(and\b)(\s+)(%s)' % alphanumid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+-            (r'(exception|and)\b(\s*)(%s)' % symbolicid_re,
++            (r'(and\b)(\s*)(%s)' % symbolicid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+             (r'\b(of)\b(?!\')', Keyword.Reserved),
++            (r'(%s)|(%s)' % (alphanumid_re, symbolicid_re), Name.Class),
+ 
+-            include('breakout'),
+-            include('core'),
+-            (r'\S+', Error),
++            default('#pop'),
+         ],
+ 
+         'datcon': [
diff -Nru pygments-2.7.1+dfsg/debian/patches/series pygments-2.7.1+dfsg/debian/patches/series
--- pygments-2.7.1+dfsg/debian/patches/series	2020-10-09 00:54:38.000000000 +0200
+++ pygments-2.7.1+dfsg/debian/patches/series	2021-03-12 10:54:46.000000000 +0100
@@ -1,3 +1,4 @@
 0002-add-g-parameter-to-pygmentize-man-page.patch
 0003-docs-moved-to-python-pygments-doc-binary-package.patch
 0003-Update-change-docs-theme-patch.patch
+CVE-2021-20270.patch

--- End Message ---

--- Begin Message ---

To: 985056-done@bugs.debian.org

Subject: unblock pygments

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Fri, 12 Mar 2021 10:23:44 +0000

Message-id: <E1lKexM-0005os-A0@respighi.debian.org>
Unblocked pygments.
--- End Message ---

Reply to:

References:
- Bug#985056: unblock: pygments/2.7.1+dfsg-2
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Bug#985056: unblock: pygments/2.7.1+dfsg-2
Next by Date: Bug#985062: unblock: lxc-templates/3.0.4-5
Previous by thread: Bug#985056: unblock: pygments/2.7.1+dfsg-2
Next by thread: Bug#985062: unblock: lxc-templates/3.0.4-5
Index(es):
- Date
- Thread