From ${URL} : An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options. Vulnerable code: def _get_nix_font_path(self, name, style): try: from commands import getstatusoutput except ImportError: from subprocess import getstatusoutput exit, out = getstatusoutput('fc-list "%s:style=%s" file' % (name, style)) if not exit: lines = out.splitlines() if lines: path = lines[0].strip().strip(':') return path Upstream patch: https://bitbucket.org/birkenfeld/pygments-main/commits/6b4baae517b6aaff7142e66f1dbadf7b9b871f61 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 0bd80b2412af7bd1143f9bb9a3426ebdfab5c333 Author: Justin Lecher <jlec@gentoo.org> Date: Fri Oct 30 12:14:00 2015 +0100 dev-python/pygments: Backport fix for shell injection Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0bd80b2412af7bd1143f9bb9a3426ebdfab5c333
@arches please stabilize dev-python/pygments-2.0.2-r1
Stable for HPPA PPC64.
commit 425575947d9a71a5aed0426a76ea8c1cc0f889da Author: Justin Lecher <jlec@gentoo.org> Date: Sat Oct 31 08:36:32 2015 +0100 dev-python/pygments: Stable for ALLARCHES Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=425575947d9a71a5aed0426a76ea8c1cc0f889da
Cleaned. commit 8f3132b9389eef8f0674406cdd36baac8737581f Author: Justin Lecher <jlec@gentoo.org> Date: Sat Oct 31 08:39:17 2015 +0100 dev-python/pygments: Drop vulnerable versions Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478 Package-Manager: portage-2.2.23 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f3132b9389eef8f0674406cdd36baac8737581f
commit 1df3cf378b95f59d76c98bfca0f23648cbabce2b Author: Justin Lecher <jlec@gentoo.org> Date: Fri Dec 4 09:34:28 2015 +0100 dev-python/pygments: Fix byte decoding in py3 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=564478 Package-Manager: portage-2.2.25 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1df3cf378b95f59d76c98bfca0f23648cbabce2b
jlec, please do not close security bugs. We have to follow the security process on them. New GLSA Request filed.
(In reply to Yury German from comment #7) > jlec, please do not close security bugs. We have to follow the security > process on them. > I am really sorry for that. didn't meant to do that.
This issue was resolved and addressed in GLSA 201612-05 at https://security.gentoo.org/glsa/201612-05 by GLSA coordinator Aaron Bauman (b-man).