Infinite loop in SML lexer may lead to DoS. When the SMLLexer gets fed the string "exception" it seems to loop indefinitely.
Created python-pygments tracking bugs for this issue:
Affects: fedora-all [bug 1922137]
Upstream bug report:
The affected SMLLexer was introduced in pygements version 1.5. Therefore the version of pygments as shipped with Red Hat Enterprise Linux 7 or earlier are not affected, as they do not include SMLLexer.
Pygments is included in the resource-agents packages as shipped with Red Hat Enterprise Linux 7 and 8, included as part of the bundled Google Cloud SDK. There are two uses of Pygments inside that bundled Google Cloud SDK version:
* prompt_toolkit - This library allows specifying Pygments lexer that will be used to do syntax highlighting in command prompts. It is used by Google Cloud SDK command line tool, but it does not specify any lexer.
There does not seem to be a way to trigger this issue in the Pygments version bundled in resource-agents packages.
This issue has been addressed in the following products:
Red Hat Automation Hub 4.2 for RHEL 7
Red Hat Automation Hub 4.2 for RHEL 8
Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
In OpenShift Container Platform 3.11, the vulnerable version of python-pygments is embedded in the google-cloud-sdk package, which is shipped in the openshift-ansible container (aos3-installation-container). As the access to the openshift-ansible container is restricted only to cluster administrators, this component is affected but with a Low impact. The google-cloud-sdk package was shipped in OpenShift Container Platform 4.1, which is End of Life.
*** Bug 1944269 has been marked as a duplicate of this bug. ***