Bugzilla – Bug 1184812
VUL-0: CVE-2021-27291: python-Pygments: ReDos via crafted malicious input
Last modified: 2022-04-14 15:39:16 UTC
rh#1940603 In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Reference: https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce Upstream patch: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 References: https://bugzilla.redhat.com/show_bug.cgi?id=1940603 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27291 https://access.redhat.com/errata/RHSA-2021:0781.html https://access.redhat.com/security/cve/CVE-2021-27291 http://www.debian.org/security/-1/dsa-4878 https://access.redhat.com/errata/RHSA-2021:0781 http://www.debian.org/security/-1/dsa-4889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27291 https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985574 https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
@Alberto: I saw that you took the last change. Maybe you would be interested to do this one too?
tracking affected: - SUSE:SLE-12-SP1:Update/python-Pygments - SUSE:SLE-15:Update/python-Pygments - SUSE:SLE-15-SP1:Update/python-Pygments - SUSE:SLE-15-SP3:Update/python-Pygments fixed in openSUSE:Factory
can you please submit fixes?
(In reply to Marcus Meissner from comment #3) > can you please submit fixes? Sorry, I was not aware that I was assigned to this one. Working on it.
Should be done: > - SUSE:SLE-12-SP1:Update/python-Pygments SR#259002 > - SUSE:SLE-15:Update/python-Pygments SR#259003 > - SUSE:SLE-15-SP1:Update/python-Pygments SR#259004 > - SUSE:SLE-15-SP3:Update/python-Pygments SR#259006 Anything missing?
SUSE-SU-2021:3840-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): python-Pygments-2.6.1-7.10.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): python-Pygments-2.6.1-7.10.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): python-Pygments-2.6.1-7.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): python-Pygments-2.6.1-7.10.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): python-Pygments-2.6.1-7.10.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): python-Pygments-2.6.1-7.10.1 SUSE Enterprise Storage 6 (src): python-Pygments-2.6.1-7.10.1 SUSE CaaS Platform 4.0 (src): python-Pygments-2.6.1-7.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3839-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: openSUSE Leap 15.3 (src): python-Pygments-2.6.1-4.3.1
openSUSE-SU-2021:3841-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: openSUSE Leap 15.3 (src): python-Pygments-2.2.0-4.9.1
SUSE-SU-2021:3841-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): python-Pygments-2.2.0-4.9.1 SUSE Linux Enterprise Server 15-LTSS (src): python-Pygments-2.2.0-4.9.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): python-Pygments-2.2.0-4.9.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): python-Pygments-2.2.0-4.9.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): python-Pygments-2.2.0-4.9.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): python-Pygments-2.2.0-4.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:3839-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): python-Pygments-2.6.1-4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1521-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184812 CVE References: CVE-2021-27291 JIRA References: Sources used: openSUSE Leap 15.2 (src): python-Pygments-2.6.1-lp152.5.12.1
Done.