Pygments: Arbitrary code execution — GLSA 201612-05

Pygments is vulnerable to remote code execution if an attacker is allowed to specify the font name.

Affected packages

dev-python/pygments on all architectures
Affected versions < 2.0.2-r1
Unaffected versions >= 2.0.2-r1

Background

Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code.

Description

A vulnerability in FontManager’s _get_nix_font_path function allows shell metacharacters to be passed in a font name.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Pygments users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/pygments-2.0.2-r1"
 

References

Release date
December 04, 2016

Latest revision
December 04, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries