FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

pygments -- shell injection vulnerability

Affected packages
py27-pygments < 2.0.2_1
py32-pygments < 2.0.2_1
py33-pygments < 2.0.2_1
py34-pygments < 2.0.2_1
py35-pygments < 2.0.2_1

Details

VuXML ID 5f276780-b6ce-11e5-9731-5453ed2e2b49
Discovery 2015-09-28
Entry 2016-01-09

NVD reports:

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

References

CVE Name CVE-2015-8557
Message http://seclists.org/fulldisclosure/2015/Oct/4
URL https://bitbucket.org/birkenfeld/pygments-main/commits/0036ab1c99e256298094505e5e92fdacdfc5b0a8