In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. Reference: https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce Upstream patch: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
Created python-pygments tracking bugs for this issue: Affects: fedora-all [bug 1940604] Created python3-pygments tracking bugs for this issue: Affects: epel-7 [bug 1940605]
The AAP is affected by this vulnerability, however it has been fixed in the recent release i.e. 1.2.2 .
Simple Python script to generate at least a few malicious files as described upstream: ``` with open("test.m", mode="w") as file: print('function' + ' ' * 400, file=file) with open("test.vcl", mode="w") as file: print('backend x{.a=' + ' ' * 3456, file=file) with open("test.factor", mode="w") as file: print('"""'+ " " * 3456, file=file) ``` With these files, vulnerable pygments runs for tens of seconds but the fixed one is done in less than half a second.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27291
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4139 https://access.redhat.com/errata/RHSA-2021:4139
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4150 https://access.redhat.com/errata/RHSA-2021:4150
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151