FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-pygments -- multiple DoS vulnerabilities

Affected packages
py310-pygments < 2.7.4
py311-pygments < 2.7.4
py37-pygments < 2.7.4
py38-pygments < 2.7.4
py39-pygments < 2.7.4
py310-pygments-25 < 2.7.4
py311-pygments-25 < 2.7.4
py37-pygments-25 < 2.7.4
py38-pygments-25 < 2.7.4
py39-pygments-25 < 2.7.4

Details

VuXML ID cdc685b5-1724-49a1-ad57-2eaab68e9cc0
Discovery 2021-03-17
Entry 2023-08-31

Red Hat reports:

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

[source]

Ben Caller reports:

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.

Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.

By crafting malicious input, an attacker can cause a denial of service.

[source]

References

CVE Name CVE-2021-20270
CVE Name CVE-2021-27291
URL https://osv.dev/vulnerability/GHSA-9w8r-397f-prfh
URL https://osv.dev/vulnerability/GHSA-pq64-v7f5-gqh8
URL https://osv.dev/vulnerability/PYSEC-2021-140
URL https://osv.dev/vulnerability/PYSEC-2021-141

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.