Package: python-pygments
Version: 2.0.1+dfsg-1.1
Tags: security
Forwarded: https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501
Javantea reported in <http://seclists.org/fulldisclosure/2015/Oct/4>:
An unsafe use of string concatenation in a shell string occurs in
FontManager. If the developer allows the attacker to choose the font
and outputs an image, the attacker can execute any shell command on the
remote system. The name variable injected comes from the constructor of
FontManager, which is invoked by ImageFormatter from options.
pygments/formatters/img.py:82
def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path
--
Jakub Wilk
