Red Hat Bugzilla – Bug 1276321
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
Last modified: 2016-04-26 19:33:35 EDT
An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.
def _get_nix_font_path(self, name, style):
from commands import getstatusoutput
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
if not exit:
lines = out.splitlines()
path = lines.strip().strip(':')
Created python-pygments tracking bugs for this issue:
Affects: fedora-all [bug 1276325]
python-pygments-2.0.2-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
The old patch caused problems. Here's a better upstream patch:
EDIT: This is only relevant to the upstream patches and is related to the availability of shlex.quote across different Python versions, which could cause an error in older Python versions. The patches used in Fedora are not affected by this problem.
This is only a problem if you use the image formatters and allow attackers to provide a specially crafted font name. No package shipped with RHEL provides a suitable vector for this attack.