NetBSD Problem Report #50661
From www@NetBSD.org Sat Jan 16 18:16:50 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id DCF1D7A209
for <gnats-bugs@gnats.NetBSD.org>; Sat, 16 Jan 2016 18:16:50 +0000 (UTC)
Message-Id: <20160116181649.801D77ACC6@mollari.NetBSD.org>
Date: Sat, 16 Jan 2016 18:16:49 +0000 (UTC)
From: okuyama@flex.phys.tohoku.ac.jp
Reply-To: okuyama@flex.phys.tohoku.ac.jp
To: gnats-bugs@NetBSD.org
Subject: py-pygments: fix for code-injection vulnerability (CVE-2015-8557)
X-Send-Pr-Version: www-1.0
>Number: 50661
>Category: pkg
>Synopsis: py-pygments: fix for code-injection vulnerability (CVE-2015-8557)
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jan 16 18:20:00 +0000 2016
>Closed-Date: Sun Jan 17 14:25:17 +0000 2016
>Last-Modified: Tue Jan 19 19:10:01 +0000 2016
>Originator: Rin Okuyama
>Release: HEAD (2016-01-16)
>Organization:
Department of Physics, Tohoku University
>Environment:
NetBSD XXX 7.99.25 NetBSD 7.99.25 (XXX) #0: Fri Jan 1 05:20:59 JST 2016 rin@XXX:XXX amd64
>Description:
py-pygments package has code-injection vulnerability (CVE-2015-8557):
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
The upstream provides fix for it. The attached patch includes changes
made by commits 6b4baae, 0036ab1, 3982887, and 91624f2. Avoid the shell
entirely when finding fonts, and misc bug fixes.
See more details:
https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
Please update the package accordingly.
>How-To-Repeat:
n/a
>Fix:
patch for pkgsrc:
====================
diff -Naru pkgsrc/textproc/py-pygments.orig/Makefile pkgsrc/textproc/py-pygments/Makefile
--- pkgsrc/textproc/py-pygments.orig/Makefile 2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/Makefile 2016-01-17 02:05:38.000000000 +0900
@@ -1,6 +1,7 @@
# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $
DISTNAME= Pygments-2.0.2
+PKGREVISION= 1
PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl}
CATEGORIES= textproc python
MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/
diff -Naru pkgsrc/textproc/py-pygments.orig/distinfo pkgsrc/textproc/py-pygments/distinfo
--- pkgsrc/textproc/py-pygments.orig/distinfo 2016-01-17 02:04:49.000000000 +0900
+++ pkgsrc/textproc/py-pygments/distinfo 2016-01-17 03:03:14.000000000 +0900
@@ -4,3 +4,4 @@
RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8
SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e
Size (Pygments-2.0.2.tar.gz) = 3462280 bytes
+SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1
diff -Naru pkgsrc/textproc/py-pygments.orig/patches/patch-img.py pkgsrc/textproc/py-pygments/patches/patch-img.py
--- pkgsrc/textproc/py-pygments.orig/patches/patch-img.py 1970-01-01 09:00:00.000000000 +0900
+++ pkgsrc/textproc/py-pygments/patches/patch-img.py 2016-01-17 03:02:47.000000000 +0900
@@ -0,0 +1,63 @@
+$NetBSD$
+
+Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
+
+The following patch includes changes made by commits 6b4baae, 0036ab1,
+3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
+misc bug fixes.
+
+See more details:
+https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
+
+--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900
++++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900
+@@ -5,7 +5,7 @@
+
+ Formatter for Pixmap output.
+
+- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
++ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
+ :license: BSD, see LICENSE for details.
+ """
+
+@@ -15,6 +15,8 @@
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+ get_choice_opt, xrange
+
++import subprocess
++
+ # Import this carefully
+ try:
+ from PIL import Image, ImageDraw, ImageFont
+@@ -75,16 +77,13 @@
+ self._create_nix()
+
+ def _get_nix_font_path(self, name, style):
+- try:
+- from commands import getstatusoutput
+- except ImportError:
+- from subprocess import getstatusoutput
+- exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+- (name, style))
+- if not exit:
+- lines = out.splitlines()
++ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++ stdout=subprocess.PIPE, stderr=None)
++ stdout, _ = proc.communicate()
++ if proc.returncode == 0:
++ lines = stdout.splitlines()
+ if lines:
+- path = lines[0].strip().strip(':')
++ path = lines[0].decode().strip().strip(':')
+ return path
+
+ def _create_nix(self):
+@@ -197,7 +196,7 @@
+ bold and italic fonts will be generated. This really should be a
+ monospace font to look sane.
+
+- Default: "Bitstream Vera Sans Mono"
++ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
+
+ `font_size`
+ The font size in points to be used.
====================
patch for pkg-vulnerabilities file (for Rev.1.6840):
====================
--- pkg-vulnerabilities.orig 2016-01-17 02:16:37.000000000 +0900
+++ pkg-vulnerabilities 2016-01-17 02:18:19.000000000 +0900
@@ -9634,7 +9634,7 @@
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-014/
typo3>=6.2<6.2.16 cross-site-scripting http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-015/
-py{35,34,33,27}-pygments-[0-9]* code-injection https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
+py{35,34,33,27}-pygments<2.0.2nb1 code-injection https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
foomatic-filters>4 input-validation https://www.debian.org/security/2015/dsa-3419
foomatic-filters>4 remote-code-execution https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560
#CHECKSUM SHA1 5d75b9e7d86e6661fd1a29c5dd7b096ae7d401af
====================
>Release-Note:
>Audit-Trail:
From: "Thomas Klausner" <wiz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50661 CVS commit: pkgsrc/textproc/py-pygments
Date: Sun, 17 Jan 2016 14:22:11 +0000
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 17 14:22:11 UTC 2016
Modified Files:
pkgsrc/textproc/py-pygments: Makefile distinfo
Added Files:
pkgsrc/textproc/py-pygments/patches: patch-img.py
Log Message:
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
From Rin Okuyama in PR 50661.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 pkgsrc/textproc/py-pygments/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/textproc/py-pygments/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/textproc/py-pygments/patches/patch-img.py
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Sun, 17 Jan 2016 14:25:17 +0000
State-Changed-Why:
Committed, thank you!
From: Rin Okuyama <okuyama@flex.phys.tohoku.ac.jp>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/50661 (py-pygments: fix for code-injection vulnerability
(CVE-2015-8557))
Date: Mon, 18 Jan 2016 02:46:45 +0900
Change confirmed both for pkgsrc and pkg-vulnerabilities file.
Thank you for your commit!
From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50661 CVS commit: [pkgsrc-2015Q4] pkgsrc/textproc/py-pygments
Date: Tue, 19 Jan 2016 19:05:21 +0000
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Jan 19 19:05:21 UTC 2016
Modified Files:
pkgsrc/textproc/py-pygments [pkgsrc-2015Q4]: Makefile distinfo
Added Files:
pkgsrc/textproc/py-pygments/patches [pkgsrc-2015Q4]: patch-img.py
Log Message:
Pullup ticket #4900 - requested by wiz
textproc/py-pygments: security fix
Revisions pulled up:
- textproc/py-pygments/Makefile 1.21-1.22
- textproc/py-pygments/distinfo 1.13
- textproc/py-pygments/patches/patch-img.py 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 17 14:22:11 UTC 2016
Modified Files:
pkgsrc/textproc/py-pygments: Makefile distinfo
Added Files:
pkgsrc/textproc/py-pygments/patches: patch-img.py
Log Message:
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
From Rin Okuyama in PR 50661.
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jan 17 16:03:13 UTC 2016
Modified Files:
pkgsrc/textproc/py-pygments: Makefile
Log Message:
Comment out py-sphinx build dependency since it introduces a cycle.
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.20.6.1 pkgsrc/textproc/py-pygments/Makefile
cvs rdiff -u -r1.12 -r1.12.2.1 pkgsrc/textproc/py-pygments/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/textproc/py-pygments/patches/patch-img.py
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.