diff -Nru pygments-2.3.1+dfsg/debian/changelog pygments-2.3.1+dfsg/debian/changelog --- pygments-2.3.1+dfsg/debian/changelog 2021-03-15 13:35:08.000000000 +0000 +++ pygments-2.3.1+dfsg/debian/changelog 2021-03-29 14:58:36.000000000 +0000 @@ -1,3 +1,15 @@ +pygments (2.3.1+dfsg-1ubuntu2.2) focal-security; urgency=medium + + * SECURITY UPDATE: more denial of service issues in regular expressions + - debian/patches/CVE-2021-27291.patch: fix several exponential/cubic + complexity regexes in pygments/lexers/archetype.py, + pygments/lexers/factor.py, pygments/lexers/jvm.py, + pygments/lexers/matlab.py, pygments/lexers/objective.py, + pygments/lexers/templates.py, pygments/lexers/varnish.py. + - CVE-2021-27291 + + -- Marc Deslauriers Mon, 29 Mar 2021 10:58:36 -0400 + pygments (2.3.1+dfsg-1ubuntu2.1) focal-security; urgency=medium * SECURITY UPDATE: Infinite loop in SMLLexer leads to denial of service diff -Nru pygments-2.3.1+dfsg/debian/patches/CVE-2021-27291.patch pygments-2.3.1+dfsg/debian/patches/CVE-2021-27291.patch --- pygments-2.3.1+dfsg/debian/patches/CVE-2021-27291.patch 1970-01-01 00:00:00.000000000 +0000 +++ pygments-2.3.1+dfsg/debian/patches/CVE-2021-27291.patch 2021-03-29 14:58:27.000000000 +0000 @@ -0,0 +1,142 @@ +From 2e7e8c4a7b318f4032493773732754e418279a14 Mon Sep 17 00:00:00 2001 +From: Georg Brandl +Date: Mon, 11 Jan 2021 09:46:34 +0100 +Subject: [PATCH] Fix several exponential/cubic complexity regexes found by Ben + Caller/Doyensec + +--- + CHANGES | 5 ++++- + pygments/lexers/archetype.py | 2 +- + pygments/lexers/factor.py | 4 ++-- + pygments/lexers/jvm.py | 1 - + pygments/lexers/matlab.py | 6 +++--- + pygments/lexers/objective.py | 4 ++-- + pygments/lexers/templates.py | 2 +- + pygments/lexers/varnish.py | 2 +- + 8 files changed, 14 insertions(+), 12 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index a6d84e17f..084d49307 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -38,8 +38,11 @@ Version 2.7.4 +# - Limit recursion with nesting Ruby heredocs (#1638) +# - Fix a few inefficient regexes for guessing lexers +# - Fix the raw token lexer handling of Unicode (#1616) +#-- Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change! +#+- Revert a private API change in the HTML formatter (#1655) -- +#+ please note that private APIs remain subject to change! +# - Add Dracula theme style (#1636) +#+- Fix several exponential/cubic-complexity regexes found by +#+ Ben Caller/Doyensec (#1675) +# +# Thanks to Google's OSS-Fuzz project for finding many of these bugs. +# +--- a/pygments/lexers/archetype.py ++++ b/pygments/lexers/archetype.py +@@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer): + (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|' + r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date), + (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float), +- (r'[+-]?(\d+)*\.\d+%?', Number.Float), ++ (r'[+-]?\d*\.\d+%?', Number.Float), + (r'0x[0-9a-fA-F]+', Number.Hex), + (r'[+-]?\d+%?', Number.Integer), + ], +--- a/pygments/lexers/factor.py ++++ b/pygments/lexers/factor.py +@@ -265,7 +265,7 @@ class FactorLexer(RegexLexer): + (r'(?:)\s', Keyword.Namespace), + + # strings +- (r'"""\s+(?:.|\n)*?\s+"""', String), ++ (r'"""\s(?:.|\n)*?\s"""', String), + (r'"(?:\\\\|\\"|[^"])*"', String), + (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String), + (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char), +@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer): + 'slots': [ + (r'\s+', Text), + (r';\s', Keyword, '#pop'), +- (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)', ++ (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)', + bygroups(Text, Name.Variable, Text)), + (r'\S+', Name.Variable), + ], +--- a/pygments/lexers/jvm.py ++++ b/pygments/lexers/jvm.py +@@ -963,7 +963,6 @@ class CeylonLexer(RegexLexer): + (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'), + (r'"(\\\\|\\"|[^"])*"', String), + (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char), +- (r'".*``.*``.*"', String.Interpol), + (r'(\.)([a-z_]\w*)', + bygroups(Operator, Name.Attribute)), + (r'[a-zA-Z_]\w*:', Name.Label), +--- a/pygments/lexers/matlab.py ++++ b/pygments/lexers/matlab.py +@@ -124,7 +124,7 @@ class MatlabLexer(RegexLexer): + (r'.', Comment.Multiline), + ], + 'deffunc': [ +- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', ++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', + bygroups(Whitespace, Text, Whitespace, Punctuation, + Whitespace, Name.Function, Punctuation, Text, + Punctuation, Whitespace), '#pop'), +@@ -585,7 +585,7 @@ class OctaveLexer(RegexLexer): + (r"[^']*'", String, '#pop'), + ], + 'deffunc': [ +- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', ++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', + bygroups(Whitespace, Text, Whitespace, Punctuation, + Whitespace, Name.Function, Punctuation, Text, + Punctuation, Whitespace), '#pop'), +@@ -653,7 +653,7 @@ class ScilabLexer(RegexLexer): + (r'.', String, '#pop'), + ], + 'deffunc': [ +- (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', ++ (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)', + bygroups(Whitespace, Text, Whitespace, Punctuation, + Whitespace, Name.Function, Punctuation, Text, + Punctuation, Whitespace), '#pop'), +--- a/pygments/lexers/objective.py ++++ b/pygments/lexers/objective.py +@@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer): + 'logos_classname'), + (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)', + bygroups(Keyword, Text, Name.Class)), +- (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)', ++ (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)', + bygroups(Keyword, Text, Name.Variable, Text, String, Text)), + (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation), + 'function'), +- (r'(%new)(\s*)(\()(\s*.*?\s*)(\))', ++ (r'(%new)(\s*)(\()(.*?)(\))', + bygroups(Keyword, Text, Keyword, String, Keyword)), + (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)), + inherit, +--- a/pygments/lexers/templates.py ++++ b/pygments/lexers/templates.py +@@ -1428,7 +1428,7 @@ class EvoqueLexer(RegexLexer): + # see doc for handling first name arg: /directives/evoque/ + # + minor inconsistency: the "name" in e.g. $overlay{name=site_base} + # should be using(PythonLexer), not passed out as String +- (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?' ++ (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?' + r'(.*?)((?(4)%)\})', + bygroups(Punctuation, Name.Builtin, Punctuation, None, + String, using(PythonLexer), Punctuation)), +--- a/pygments/lexers/varnish.py ++++ b/pygments/lexers/varnish.py +@@ -61,7 +61,7 @@ class VCLLexer(RegexLexer): + bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)), + (r'(\.probe)(\s*=\s*)(\{)', + bygroups(Name.Attribute, Operator, Punctuation), 'probe'), +- (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)', ++ (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)', + bygroups(Name.Attribute, Operator, using(this), Punctuation)), + (r'\{', Punctuation, '#push'), + (r'\}', Punctuation, '#pop'), diff -Nru pygments-2.3.1+dfsg/debian/patches/series pygments-2.3.1+dfsg/debian/patches/series --- pygments-2.3.1+dfsg/debian/patches/series 2021-03-15 13:35:03.000000000 +0000 +++ pygments-2.3.1+dfsg/debian/patches/series 2021-03-29 14:58:27.000000000 +0000 @@ -2,3 +2,4 @@ 0002-add-g-parameter-to-pygmentize-man-page.patch 0003-docs-moved-to-python-pygments-doc-binary-package.patch CVE-2021-20270.patch +CVE-2021-27291.patch