From: Narpat Mali <narpat.m...@windriver.com> CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ 1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04 Hence, backported the patch as CVE-2022-40896.patch. 2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 Actually, this code doesn't exist in 2.11.2 version and it has been introduce by python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version. SQL+Jinja lexers is introduced by: https://github.com/pygments/pygments/commit/0bdbd5992baca32d18e01f0ec65337e06abf9456 3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 Actually, this code also doesn't exist in 2.11.2 version as the code has been modified in python3-pygments 2.14.0 by: https://github.com/pygments/pygments/commit/a38cb38e93c9635240b3ae89d78d38cf182745da Hence, this is also not vulnerable for 2.11.2 version. Signed-off-by: Narpat Mali <narpat.m...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../python3-pygments/CVE-2022-40896.patch | 124 ++++++++++++++++++ .../python/python3-pygments_2.11.2.bb | 2 + 2 files changed, 126 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch new file mode 100644 index 0000000000..9848072a94 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch @@ -0,0 +1,124 @@ +From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.m...@windriver.com> +Date: Wed, 6 Sep 2023 10:32:38 +0000 +Subject: [PATCH] Improve the Smithy metadata matcher. + +Previously, metadata foo bar baz = 23 was accepted, but according to +the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection +it should be "metadata"<whitespace>Identifier/String<optional whitespace>. + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04] + +Signed-off-by: Narpat Mali <narpat.m...@windriver.com> +--- + pygments/lexers/smithy.py | 5 +- + tests/examplefiles/smithy/test.smithy | 12 +++++ + tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + +diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py +index 0f0a912..c5e25cd 100644 +--- a/pygments/lexers/smithy.py ++++ b/pygments/lexers/smithy.py +@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer): + (words(aggregate_shapes, + prefix=r'^', suffix=r'(\s+' + identifier + r')'), + bygroups(Keyword.Declaration, Name.Class)), +- (r'^(metadata)(\s+.+)(\s*)(=)', +- bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)), ++ (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)', ++ bygroups(Keyword.Declaration, Whitespace, Name.Class, ++ Whitespace, Name.Decorator)), + (r"(true|false|null)", Keyword.Constant), + (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number), + (identifier + ":", Name.Label), +diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy +index 3d20f06..9317fee 100644 +--- a/tests/examplefiles/smithy/test.smithy ++++ b/tests/examplefiles/smithy/test.smithy +@@ -2,6 +2,18 @@ $version: "1.0" + + namespace test + ++metadata "foo" = ["bar", "baz"] ++metadata validators = [ ++ { ++ name: "ValidatorName" ++ id: "ValidatorId" ++ message: "Some string" ++ configuration: { ++ selector: "operation" ++ } ++ } ++] ++ + /// Define how an HTTP request is serialized given a specific protocol, + /// authentication scheme, and set of input parameters. + @trait(selector: "operation") +diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output +index 1f22489..db44a38 100644 +--- a/tests/examplefiles/smithy/test.smithy.output ++++ b/tests/examplefiles/smithy/test.smithy.output +@@ -7,6 +7,58 @@ + ' test' Name.Class + '\n\n' Text.Whitespace + ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'"foo"' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'"bar"' Literal.String.Double ++',' Punctuation ++' ' Text.Whitespace ++'"baz"' Literal.String.Double ++']' Text ++'\n' Text.Whitespace ++ ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'validators' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'\n ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'name:' Name.Label ++' ' Text.Whitespace ++'"ValidatorName"' Literal.String.Double ++'\n ' Text.Whitespace ++'id:' Name.Label ++' ' Text.Whitespace ++'"ValidatorId"' Literal.String.Double ++'\n ' Text.Whitespace ++'message:' Name.Label ++' ' Text.Whitespace ++'"Some string"' Literal.String.Double ++'\n ' Text.Whitespace ++'configuration:' Name.Label ++' ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'selector:' Name.Label ++' ' Text.Whitespace ++'"operation"' Literal.String.Double ++'\n ' Text.Whitespace ++'}' Text ++'\n ' Text.Whitespace ++'}' Text ++'\n' Text.Whitespace ++ ++']' Text ++'\n\n' Text.Whitespace ++ + '/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline + '\n' Text.Whitespace + +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb index 35d288c89e..6e787f23d2 100644 --- a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb +++ b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc" inherit setuptools3 SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a" +SRC_URI += "file://CVE-2022-40896.patch" + DEPENDS += "\ ${PYTHON_PN} \ " -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#187596): https://lists.openembedded.org/g/openembedded-core/message/187596 Mute This Topic: https://lists.openembedded.org/mt/101338048/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
