CVE-2021-20270 23.03.21 18:15 An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Upstream version 2.8.1 is not affected. Because this package would cause 456 dependents to be rebuilt, I prepared 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d and will push soon to staging once master is merged in it so that .guix-authorizations contains my key. I also attached the patch (trivial). Opening this bug to track when this lands into master
From 69e3b7f4bea9ab6c9520c5b5bdc14e0388475c3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Le=20Bouter?= <lle-b...@zaclys.net>
Date: Wed, 24 Mar 2021 00:01:52 +0100
Subject: [PATCH] gnu: python-pygments: Update to 2.8.1 [security fixes].
Fixes at least CVE-2021-20270.
* gnu/packages/python-xyz.scm (python-pygments): Update to 2.8.1.
---
gnu/packages/python-xyz.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index cc21caa721..b50683f943 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -3619,14 +3619,14 @@ text styles of documentation.")
(define-public python-pygments
(package
(name "python-pygments")
- (version "2.7.3")
+ (version "2.8.1")
(source
(origin
(method url-fetch)
(uri (pypi-uri "Pygments" version))
(sha256
(base32
- "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
+ "153zyxigm879sk2n71lfv03y2pgxb7dl0dlsbwkz9aydxnkf2mi6"))))
(build-system python-build-system)
(arguments
;; FIXME: Tests require sphinx, which depends on this.
--
2.31.0
signature.asc
Description: This is a digitally signed message part
