python3-pygments: fix for CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by these 3 different commits in different version: 1. Improve the Smithy metadata matcher (These changes are already available as part of current python3-pygments_2.14.0 version): dd52102c38 (2.14.0) 2. SQL+Jinja: use a simpler regex in analyse_text: 97eb3d5ec7 (2.15.0) 3. Improve Java properties lexer (#2404): fdf182a7af (2.15.1) References: https://nvd.nist.gov/vuln/detail/CVE-2022-40896 https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ (From OE-Core rev: 5a02307af5e593be864423a9f3ab309703d61dbf) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-05-27 00:52:38 +02:00 · 2023-08-29 14:57:53 +00:00
parent cccf6723f3
commit 7b65658ede
3 changed files with 354 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
+++ b/meta/recipes-devtools/python/python3-pygments_2.14.0.bb
@@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592"
 inherit setuptools3
 SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297"

+SRC_URI += "file://CVE-2022-40896-0001.patch \
+            file://CVE-2022-40896-0002.patch \
+           "
+
 DEPENDS += "\
            ${PYTHON_PN} \
            "