Sun Jan 17 14:22:11 2016 UTC ()
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
>From Rin Okuyama in PR 50661.
(wiz)
diff -r1.20 -r1.21 pkgsrc/textproc/py-pygments/Makefile
diff -r1.12 -r1.13 pkgsrc/textproc/py-pygments/distinfo
diff -r0 -r1.1 pkgsrc/textproc/py-pygments/patches/patch-img.py
--- pkgsrc/textproc/py-pygments/Makefile 2015/05/22 08:18:01 1.20
+++ pkgsrc/textproc/py-pygments/Makefile 2016/01/17 14:22:11 1.21
| @@ -1,28 +1,26 @@ | | | @@ -1,28 +1,26 @@ |
1 | # $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $ | | 1 | # $NetBSD: Makefile,v 1.21 2016/01/17 14:22:11 wiz Exp $ |
2 | | | 2 | |
3 | DISTNAME= Pygments-2.0.2 | | 3 | DISTNAME= Pygments-2.0.2 |
| | | 4 | PKGREVISION= 1 |
4 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} | | 5 | PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} |
5 | CATEGORIES= textproc python | | 6 | CATEGORIES= textproc python |
6 | MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/ | | 7 | MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/ |
7 | | | 8 | |
8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
9 | HOMEPAGE= http://pygments.org/ | | 10 | HOMEPAGE= http://pygments.org/ |
10 | COMMENT= Python syntax highlighter | | 11 | COMMENT= Python syntax highlighter |
11 | LICENSE= 2-clause-bsd | | 12 | LICENSE= 2-clause-bsd |
12 | | | 13 | |
| | | 14 | # test dependencies |
| | | 15 | BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose |
| | | 16 | BUILD_DEPENDS+= ${PYPKGPREFIX}-sphinx-[0-9]*:../../textproc/py-sphinx |
| | | 17 | |
13 | USE_LANGUAGES= # none | | 18 | USE_LANGUAGES= # none |
14 | PLIST_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} | | 19 | PLIST_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} |
15 | FILES_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} | | 20 | FILES_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} |
16 | | | 21 | |
17 | .include "../../mk/bsd.prefs.mk" | | | |
18 | | | | |
19 | .if !empty(PKGSRC_RUN_TEST:M[yY][eE][sS]) | | | |
20 | BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose | | | |
21 | TEST_TARGET= test | | | |
22 | .endif | | | |
23 | | | | |
24 | post-install: | | 22 | post-install: |
25 | ${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX} | | 23 | ${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX} |
26 | | | 24 | |
27 | .include "../../lang/python/egg.mk" | | 25 | .include "../../lang/python/egg.mk" |
28 | .include "../../mk/bsd.pkg.mk" | | 26 | .include "../../mk/bsd.pkg.mk" |
--- pkgsrc/textproc/py-pygments/distinfo 2015/11/04 02:00:04 1.12
+++ pkgsrc/textproc/py-pygments/distinfo 2016/01/17 14:22:11 1.13
| @@ -1,6 +1,7 @@ | | | @@ -1,6 +1,7 @@ |
1 | $NetBSD: distinfo,v 1.12 2015/11/04 02:00:04 agc Exp $ | | 1 | $NetBSD: distinfo,v 1.13 2016/01/17 14:22:11 wiz Exp $ |
2 | | | 2 | |
3 | SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8 | | 3 | SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8 |
4 | RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8 | | 4 | RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8 |
5 | SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e | | 5 | SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e |
6 | Size (Pygments-2.0.2.tar.gz) = 3462280 bytes | | 6 | Size (Pygments-2.0.2.tar.gz) = 3462280 bytes |
| | | 7 | SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1 |
$NetBSD: patch-img.py,v 1.1 2016/01/17 14:22:11 wiz Exp $
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
The following patch includes changes made by commits 6b4baae, 0036ab1,
3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
misc bug fixes.
See more details:
https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900
+++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900
@@ -5,7 +5,7 @@
Formatter for Pixmap output.
- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
+ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
:license: BSD, see LICENSE for details.
"""
@@ -15,6 +15,8 @@
from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
get_choice_opt, xrange
+import subprocess
+
# Import this carefully
try:
from PIL import Image, ImageDraw, ImageFont
@@ -75,16 +77,13 @@
self._create_nix()
def _get_nix_font_path(self, name, style):
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
- (name, style))
- if not exit:
- lines = out.splitlines()
+ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
+ stdout=subprocess.PIPE, stderr=None)
+ stdout, _ = proc.communicate()
+ if proc.returncode == 0:
+ lines = stdout.splitlines()
if lines:
- path = lines[0].strip().strip(':')
+ path = lines[0].decode().strip().strip(':')
return path
def _create_nix(self):
@@ -197,7 +196,7 @@
bold and italic fonts will be generated. This really should be a
monospace font to look sane.
- Default: "Bitstream Vera Sans Mono"
+ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
`font_size`
The font size in points to be used.