An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options. Vulnerable code: def _get_nix_font_path(self, name, style): try: from commands import getstatusoutput except ImportError: from subprocess import getstatusoutput exit, out = getstatusoutput('fc-list "%s:style=%s" file' % (name, style)) if not exit: lines = out.splitlines() if lines: path = lines[0].strip().strip(':') return path Upstream patch: https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8
Created python-pygments tracking bugs for this issue: Affects: fedora-all [bug 1276325]
python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
The old patch caused problems. Here's a better upstream patch: https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8 EDIT: This is only relevant to the upstream patches and is related to the availability of shlex.quote across different Python versions, which could cause an error in older Python versions. The patches used in Fedora are not affected by this problem.
This is only a problem if you use the image formatters and allow attackers to provide a specially crafted font name. No package shipped with RHEL provides a suitable vector for this attack.