Bug 1940603 (CVE-2021-27291)
| Summary: | CVE-2021-27291 python-pygments: ReDoS in multiple lexers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agk, apevec, bcoca, chousekn, cluster-maint, cmeyers, davidn, fdinitto, gblomqui, hhorak, jcammara, jhardy, jjoyce, jobarker, jorton, jschluet, lbalhar, lhh, lpeer, mabashia, mburns, mhroncok, notting, oalbrigt, orion, osapryki, python-maint, python-sig, relrod, sclewis, sdoran, slinaber, smcdonal, tkuratom |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-pygments 2.7.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service attack was discovered against pygments. Some of the regular expressions used to tokenise source code for highlighting have exponential complexity. A specially crafted input file could cause pygments to take effectively infinite time to parse, consuming CPU resources and denying access to the service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-08-24 15:35:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1922136, 1940604, 1940605, 1943458, 1943459, 1943460, 1943462, 1943463, 1943464, 1944269, 1969503 | ||
| Bug Blocks: | 1940606 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-18 17:33:03 UTC
Created python-pygments tracking bugs for this issue: Affects: fedora-all [bug 1940604] Created python3-pygments tracking bugs for this issue: Affects: epel-7 [bug 1940605] The AAP is affected by this vulnerability, however it has been fixed in the recent release i.e. 1.2.2 . Simple Python script to generate at least a few malicious files as described upstream:
```
with open("test.m", mode="w") as file:
print('function' + ' ' * 400, file=file)
with open("test.vcl", mode="w") as file:
print('backend x{.a=' + ' ' * 3456, file=file)
with open("test.factor", mode="w") as file:
print('"""'+ " " * 3456, file=file)
```
With these files, vulnerable pygments runs for tens of seconds but the fixed one is done in less than half a second.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27291 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4139 https://access.redhat.com/errata/RHSA-2021:4139 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4150 https://access.redhat.com/errata/RHSA-2021:4150 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151 |