mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-04 07:48:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
mickledore
poky/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch
Narpat Mali 7b65658ede python3-pygments: fix for CVE-2022-40896 
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.

The CVE issue is fixed by these 3 different commits in different version:
1. Improve the Smithy metadata matcher (These changes are already available as part
   of current python3-pygments_2.14.0 version):
dd52102c38 (2.14.0)
2. SQL+Jinja: use a simpler regex in analyse_text:
97eb3d5ec7 (2.15.0)
3. Improve Java properties lexer (#2404):
fdf182a7af (2.15.1)

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-40896
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/

(From OE-Core rev: 5a02307af5e593be864423a9f3ab309703d61dbf)

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-09-04 04:13:24 -10:00

50 lines
1.6 KiB
Diff
Raw Permalink Blame History

From 9a73f2a80e5cf869d473ddcbfceaab229fb99b5e Mon Sep 17 00:00:00 2001
From: Narpat Mali <narpat.mali@windriver.com>
Date: Mon, 28 Aug 2023 15:04:14 +0000
Subject: [PATCH] SQL+Jinja: use a simpler regex in analyse_text
Fixes catastrophic backtracking
Fixes #2355
CVE: CVE-2022-40896
Upstream-Status: Backport [https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
CHANGES | 1 +
pygments/lexers/templates.py | 6 +-----
2 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/CHANGES b/CHANGES
index 2aa54fa..4c84fa6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -61,6 +61,7 @@ Version 2.14.0
* Spice: Add ``enum`` keyword and fix a bug regarding binary,
hexadecimal and octal number tokens (#2227)
* YAML: Accept colons in key names (#2277)
+ * SQL+Jinja (``analyse_text`` method): fix catastrophic backtracking [Backported]
- Fix `make mapfiles` when Pygments is not installed in editable mode
(#2223)
diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
index 1fcf708..1066294 100644
--- a/pygments/lexers/templates.py
+++ b/pygments/lexers/templates.py
@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer):
if re.search(r'\{\{\s*source\(.*\)\s*\}\}', text):
rv += 0.25
# Jinja macro
- if re.search(
- r'\{%-?\s*macro \w+\(.*\)\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}',
- text,
- re.S,
- ):
+ if re.search(r'\{%-?\s*macro \w+\(.*\)\s*-?%\}', text):
rv += 0.15
return rv
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink