diff options
| author | wiz <wiz@pkgsrc.org> | 2016-01-17 14:22:11 +0000 |
|---|---|---|
| committer | wiz <wiz@pkgsrc.org> | 2016-01-17 14:22:11 +0000 |
| commit | 7331d07f192272f933d5748a74c548966353e616 (patch) | |
| tree | d506a0a73582318b8978bb933850469667720555 /textproc | |
| parent | d40ce449f1418c4ecbb1dd92be2dee6f75979f35 (diff) | |
| download | pkgsrc-7331d07f192272f933d5748a74c548966353e616.tar.gz | |
Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
From Rin Okuyama in PR 50661.
Diffstat (limited to 'textproc')
| -rw-r--r-- | textproc/py-pygments/Makefile | 14 | ||||
| -rw-r--r-- | textproc/py-pygments/distinfo | 3 | ||||
| -rw-r--r-- | textproc/py-pygments/patches/patch-img.py | 63 |
3 files changed, 71 insertions, 9 deletions
diff --git a/textproc/py-pygments/Makefile b/textproc/py-pygments/Makefile index 057943fe968..962ad58f8d5 100644 --- a/textproc/py-pygments/Makefile +++ b/textproc/py-pygments/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $ +# $NetBSD: Makefile,v 1.21 2016/01/17 14:22:11 wiz Exp $ DISTNAME= Pygments-2.0.2 +PKGREVISION= 1 PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} CATEGORIES= textproc python MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/ @@ -10,17 +11,14 @@ HOMEPAGE= http://pygments.org/ COMMENT= Python syntax highlighter LICENSE= 2-clause-bsd +# test dependencies +BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose +BUILD_DEPENDS+= ${PYPKGPREFIX}-sphinx-[0-9]*:../../textproc/py-sphinx + USE_LANGUAGES= # none PLIST_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} FILES_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} -.include "../../mk/bsd.prefs.mk" - -.if !empty(PKGSRC_RUN_TEST:M[yY][eE][sS]) -BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose -TEST_TARGET= test -.endif - post-install: ${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX} diff --git a/textproc/py-pygments/distinfo b/textproc/py-pygments/distinfo index a3ea8d00018..2f5956dc080 100644 --- a/textproc/py-pygments/distinfo +++ b/textproc/py-pygments/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.12 2015/11/04 02:00:04 agc Exp $ +$NetBSD: distinfo,v 1.13 2016/01/17 14:22:11 wiz Exp $ SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8 RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8 SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e Size (Pygments-2.0.2.tar.gz) = 3462280 bytes +SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1 diff --git a/textproc/py-pygments/patches/patch-img.py b/textproc/py-pygments/patches/patch-img.py new file mode 100644 index 00000000000..f951174f76f --- /dev/null +++ b/textproc/py-pygments/patches/patch-img.py @@ -0,0 +1,63 @@ +$NetBSD: patch-img.py,v 1.1 2016/01/17 14:22:11 wiz Exp $ + +Fix for code-injection vulnerability (CVE-2015-8557) from upstream. + +The following patch includes changes made by commits 6b4baae, 0036ab1, +3982887, and 91624f2. Avoid the shell entirely when finding fonts, and +misc bug fixes. + +See more details: +https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py + +--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900 ++++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900 +@@ -5,7 +5,7 @@ + + Formatter for Pixmap output. + +- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS. ++ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS. + :license: BSD, see LICENSE for details. + """ + +@@ -15,6 +15,8 @@ + from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \ + get_choice_opt, xrange + ++import subprocess ++ + # Import this carefully + try: + from PIL import Image, ImageDraw, ImageFont +@@ -75,16 +77,13 @@ + self._create_nix() + + def _get_nix_font_path(self, name, style): +- try: +- from commands import getstatusoutput +- except ImportError: +- from subprocess import getstatusoutput +- exit, out = getstatusoutput('fc-list "%s:style=%s" file' % +- (name, style)) +- if not exit: +- lines = out.splitlines() ++ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'], ++ stdout=subprocess.PIPE, stderr=None) ++ stdout, _ = proc.communicate() ++ if proc.returncode == 0: ++ lines = stdout.splitlines() + if lines: +- path = lines[0].strip().strip(':') ++ path = lines[0].decode().strip().strip(':') + return path + + def _create_nix(self): +@@ -197,7 +196,7 @@ + bold and italic fonts will be generated. This really should be a + monospace font to look sane. + +- Default: "Bitstream Vera Sans Mono" ++ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix + + `font_size` + The font size in points to be used. |