Bug#802828: marked as done (python-pygments: CVE-2015-8557: shell injection in FontManager._get_nix_font_path)

Tue, 15 Dec 2015 11:59:36 -0800 

Your message dated Tue, 15 Dec 2015 18:18:58 +0000
with message-id <e1a8ube-0003jt...@franck.debian.org>
and subject line Bug#802828: fixed in pygments 1.3.1+dfsg-1+deb6u11
has caused the Debian Bug report #802828,
regarding python-pygments: CVE-2015-8557: shell injection in 
FontManager._get_nix_font_path
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802828
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python-pygments
Version: 2.0.1+dfsg-1.1
Tags: security
Forwarded: https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501

Javantea reported in <http://seclists.org/fulldisclosure/2015/Oct/4>:
An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options. 

pygments/formatters/img.py:82
def _get_nix_font_path(self, name, style): 
       try:
           from commands import getstatusoutput
       except ImportError:
           from subprocess import getstatusoutput
       exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
                                   (name, style))
       if not exit:
           lines = out.splitlines()
           if lines:
               path = lines[0].strip().strip(':')
               return path


--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: pygments
Source-Version: 1.3.1+dfsg-1+deb6u11

We believe that the bug you reported is fixed in the latest version of
pygments, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 802...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated pygments package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 15 Dec 2015 17:54:50 +0000
Source: pygments
Binary: python-pygments
Architecture: source all
Version: 1.3.1+dfsg-1+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Piotr Ożarowski <pi...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description: 
 python-pygments - syntax highlighting package written in Python
Closes: 802828
Changes: 
 pygments (1.3.1+dfsg-1+deb6u11) squeeze-lts; urgency=high
 .
   * CVE-2015-8557: Fix shell Injection in Pygments
     FontManager._get_nix_font_path. (Closes: #802828)
Checksums-Sha1: 
 22a659ed0271138297f46ebd864af14584dae26e 2100 pygments_1.3.1+dfsg-1+deb6u11.dsc
 4bd645a712546586c196b52698559b7cbec43985 584821 pygments_1.3.1+dfsg.orig.tar.gz
 29abc0eb526b8067454072d1c26e1b068d59643d 6395 
pygments_1.3.1+dfsg-1+deb6u11.diff.gz
 1980dcbbe7a617aaff309e2a65b3d400de5ffc4e 339674 
python-pygments_1.3.1+dfsg-1+deb6u11_all.deb
Checksums-Sha256: 
 a7d9789342bd49e0139808fd43adb3c91efff5588a3f47c702ccbcfe34afa3ab 2100 
pygments_1.3.1+dfsg-1+deb6u11.dsc
 e6f5a46e102e306f2bff8a5518bcfaf815f2768cd327c6bfc25439c653df354c 584821 
pygments_1.3.1+dfsg.orig.tar.gz
 28326e8889d50d824d65e05e888303794a9e65a016ef4a344a822ab8dc81b16c 6395 
pygments_1.3.1+dfsg-1+deb6u11.diff.gz
 4f01f5a65f2dc10d2c30eb0a95dbf0f6d0ddf2d8da6a1bcae3305695709a0b32 339674 
python-pygments_1.3.1+dfsg-1+deb6u11_all.deb
Files: 
 e31bd25287067c8a235c9f3bcfec0b1d 2100 python optional 
pygments_1.3.1+dfsg-1+deb6u11.dsc
 790551a67ed654dca7401f0f4a04d965 584821 python optional 
pygments_1.3.1+dfsg.orig.tar.gz
 2e186f57bf93f09f46093132f77a735d 6395 python optional 
pygments_1.3.1+dfsg-1+deb6u11.diff.gz
 75d0942295f0d271b5685254464e53e9 339674 python optional 
python-pygments_1.3.1+dfsg-1+deb6u11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWcFfhAAoJEB6VPifUMR5YeJoP/0/IHfBjPuunEJU1WaXLPUc9
zl44a/DrCh9flUOarcBTNRDQ7Adj1V+5ltqb07Aka01xWsqsunVBWDrsPTl6NHna
JXWn4cUBleoYgKHmcoPfCJCSe3UbYs6ciBs03EzrJORzJdv022tljM/Zo8cUSOsK
PUdfeVE2d4XOr3Pi2BdDn7BHTCbxIEcRsOcvtyjde8lfqZz7IbKvMqpwDVbMvmIK
WQg/vVIR5aLwtdcUF6o3t0fzqCMfNZdlgExQyoWzlQK0XOj+0ngxIUtMwCfLIaUS
VUo6xavqClWZGCKkmQN295Cc8sRIVnadFFunlvzcLNWAqghLb9CRsxtq8SXjaq5L
Sv2oh96ImXVMrm2WS40xAvtQP8o99irzgf1mvod27SIv1xaDaZZNw1uKrYv5qqmB
aYaWRPRutQ6MSFITeAypg7R4I/12FbnoFTIcPALvH4yEZZiKT0B3xdGMiV4WpzfF
//0ef8lJp/TQcoe+z4OVE1enNkM4qdGp3zxiFxvSkzwIck155xe6HzDqeofjKkcG
l16Dh+/fBI5B9Wye4v9DV1mgJIhQ1pJhwyi8Y1ZPwhVUV8j6umrk6TFe2p3MrGWv
9RakFpjdE/p7Lt3YxeNlrOQjjtvNQ+GeNFPh612KA90cFRSu2QMlzfhLK5woryXy
SADFAtE87YJ61AD5eh2b
=QK8y
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to