summaryrefslogtreecommitdiff
path: root/textproc/py-pygments
diff options
context:
space:
mode:
authorwiz <wiz@pkgsrc.org>2016-01-17 14:22:11 +0000
committerwiz <wiz@pkgsrc.org>2016-01-17 14:22:11 +0000
commit7331d07f192272f933d5748a74c548966353e616 (patch)
treed506a0a73582318b8978bb933850469667720555 /textproc/py-pygments
parentd40ce449f1418c4ecbb1dd92be2dee6f75979f35 (diff)
downloadpkgsrc-7331d07f192272f933d5748a74c548966353e616.tar.gz
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
From Rin Okuyama in PR 50661.
Diffstat (limited to 'textproc/py-pygments')
-rw-r--r--textproc/py-pygments/Makefile14
-rw-r--r--textproc/py-pygments/distinfo3
-rw-r--r--textproc/py-pygments/patches/patch-img.py63
3 files changed, 71 insertions, 9 deletions
diff --git a/textproc/py-pygments/Makefile b/textproc/py-pygments/Makefile
index 057943fe968..962ad58f8d5 100644
--- a/textproc/py-pygments/Makefile
+++ b/textproc/py-pygments/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $
+# $NetBSD: Makefile,v 1.21 2016/01/17 14:22:11 wiz Exp $
DISTNAME= Pygments-2.0.2
+PKGREVISION= 1
PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl}
CATEGORIES= textproc python
MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/
@@ -10,17 +11,14 @@ HOMEPAGE= http://pygments.org/
COMMENT= Python syntax highlighter
LICENSE= 2-clause-bsd
+# test dependencies
+BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose
+BUILD_DEPENDS+= ${PYPKGPREFIX}-sphinx-[0-9]*:../../textproc/py-sphinx
+
USE_LANGUAGES= # none
PLIST_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX}
FILES_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX}
-.include "../../mk/bsd.prefs.mk"
-
-.if !empty(PKGSRC_RUN_TEST:M[yY][eE][sS])
-BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose
-TEST_TARGET= test
-.endif
-
post-install:
${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX}
diff --git a/textproc/py-pygments/distinfo b/textproc/py-pygments/distinfo
index a3ea8d00018..2f5956dc080 100644
--- a/textproc/py-pygments/distinfo
+++ b/textproc/py-pygments/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.12 2015/11/04 02:00:04 agc Exp $
+$NetBSD: distinfo,v 1.13 2016/01/17 14:22:11 wiz Exp $
SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8
RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8
SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e
Size (Pygments-2.0.2.tar.gz) = 3462280 bytes
+SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1
diff --git a/textproc/py-pygments/patches/patch-img.py b/textproc/py-pygments/patches/patch-img.py
new file mode 100644
index 00000000000..f951174f76f
--- /dev/null
+++ b/textproc/py-pygments/patches/patch-img.py
@@ -0,0 +1,63 @@
+$NetBSD: patch-img.py,v 1.1 2016/01/17 14:22:11 wiz Exp $
+
+Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
+
+The following patch includes changes made by commits 6b4baae, 0036ab1,
+3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
+misc bug fixes.
+
+See more details:
+https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
+
+--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900
++++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900
+@@ -5,7 +5,7 @@
+
+ Formatter for Pixmap output.
+
+- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
++ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
+ :license: BSD, see LICENSE for details.
+ """
+
+@@ -15,6 +15,8 @@
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+ get_choice_opt, xrange
+
++import subprocess
++
+ # Import this carefully
+ try:
+ from PIL import Image, ImageDraw, ImageFont
+@@ -75,16 +77,13 @@
+ self._create_nix()
+
+ def _get_nix_font_path(self, name, style):
+- try:
+- from commands import getstatusoutput
+- except ImportError:
+- from subprocess import getstatusoutput
+- exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+- (name, style))
+- if not exit:
+- lines = out.splitlines()
++ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++ stdout=subprocess.PIPE, stderr=None)
++ stdout, _ = proc.communicate()
++ if proc.returncode == 0:
++ lines = stdout.splitlines()
+ if lines:
+- path = lines[0].strip().strip(':')
++ path = lines[0].decode().strip().strip(':')
+ return path
+
+ def _create_nix(self):
+@@ -197,7 +196,7 @@
+ bold and italic fonts will be generated. This really should be a
+ monospace font to look sane.
+
+- Default: "Bitstream Vera Sans Mono"
++ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
+
+ `font_size`
+ The font size in points to be used.