Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564478 (CVE-2015-8557) - <dev-python/pygments-2.0.2-r1: Shell injection in FontManager._get_nix_font_path (CVE-2015-8557)
Summary: <dev-python/pygments-2.0.2-r1: Shell injection in FontManager._get_nix_font_p...
Status: RESOLVED FIXED
Alias: CVE-2015-8557
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-30 08:50 UTC by Agostino Sarubbo
Modified: 2016-12-04 06:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-30 08:50:36 UTC
From ${URL} :

An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer 
allows the attacker to choose the font and outputs an image, the attacker can execute any shell 
command on the remote system. The name variable injected comes from the constructor of FontManager, 
which is invoked by ImageFormatter from options.

Vulnerable code:

def _get_nix_font_path(self, name, style):
    try:
        from commands import getstatusoutput
    except ImportError:
        from subprocess import getstatusoutput
    exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
                                (name, style))
    if not exit:
        lines = out.splitlines()
        if lines:
            path = lines[0].strip().strip(':')
            return path

Upstream patch:

https://bitbucket.org/birkenfeld/pygments-main/commits/6b4baae517b6aaff7142e66f1dbadf7b9b871f61


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-10-30 12:05:22 UTC
commit 0bd80b2412af7bd1143f9bb9a3426ebdfab5c333
Author: Justin Lecher <jlec@gentoo.org>
Date:   Fri Oct 30 12:14:00 2015 +0100
    
    dev-python/pygments: Backport fix for shell injection
    
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478
    
    Package-Manager: portage-2.2.23
    Signed-off-by: Justin Lecher <jlec@gentoo.org>
    
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0bd80b2412af7bd1143f9bb9a3426ebdfab5c333
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-10-30 12:07:04 UTC
@arches please stabilize

dev-python/pygments-2.0.2-r1
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-31 06:39:57 UTC
Stable for HPPA PPC64.
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-10-31 07:37:12 UTC
commit 425575947d9a71a5aed0426a76ea8c1cc0f889da
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Oct 31 08:36:32 2015 +0100

    dev-python/pygments: Stable for ALLARCHES

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478

    Package-Manager: portage-2.2.23
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=425575947d9a71a5aed0426a76ea8c1cc0f889da
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-10-31 07:39:48 UTC
Cleaned. 

commit 8f3132b9389eef8f0674406cdd36baac8737581f
Author: Justin Lecher <jlec@gentoo.org>
Date:   Sat Oct 31 08:39:17 2015 +0100

    dev-python/pygments: Drop vulnerable versions

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478

    Package-Manager: portage-2.2.23
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f3132b9389eef8f0674406cdd36baac8737581f
Comment 6 Justin Lecher (RETIRED) gentoo-dev 2015-12-04 08:34:52 UTC
commit 1df3cf378b95f59d76c98bfca0f23648cbabce2b
Author: Justin Lecher <jlec@gentoo.org>
Date:   Fri Dec 4 09:34:28 2015 +0100

    dev-python/pygments: Fix byte decoding in py3

    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478

    Package-Manager: portage-2.2.25
    Signed-off-by: Justin Lecher <jlec@gentoo.org>

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1df3cf378b95f59d76c98bfca0f23648cbabce2b
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-12-08 00:26:28 UTC
jlec, please do not close security bugs. We have to follow the security process on them.

New GLSA Request filed.
Comment 8 Justin Lecher (RETIRED) gentoo-dev 2015-12-08 07:12:17 UTC
(In reply to Yury German from comment #7)
> jlec, please do not close security bugs. We have to follow the security
> process on them.
> 


I am really sorry for that. didn't meant to do that.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-12-04 06:51:13 UTC
This issue was resolved and addressed in
 GLSA 201612-05 at https://security.gentoo.org/glsa/201612-05
by GLSA coordinator Aaron Bauman (b-man).