Joined: 12 May 2004
|Posted: Sun Dec 04, 2016 8:26 am Post subject: [ GLSA 201612-05 ] Pygments
|Gentoo Linux Security Advisory
Title: Pygments: Arbitrary code execution (GLSA 201612-05)
Date: December 04, 2016
Pygments is vulnerable to remote code execution if an attacker is
allowed to specify the font name.
Pygments is a generic syntax highlighter suitable for use in code
hosting, forums, wikis or other applications that need to prettify source
Vulnerable: < 2.0.2-r1
Unaffected: >= 2.0.2-r1
Architectures: All supported architectures
A vulnerability in FontManager’s _get_nix_font_path function allows
shell metacharacters to be passed in a font name.
A remote attacker could possibly execute arbitrary code with the
privileges of the process.
There is no known workaround at this time.
All Pygments users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pygments-2.0.2-r1"