From aca575d0ae7ac2c219515231e643e8f1bb2a544a Mon Sep 17 00:00:00 2001 From: bsiegert Date: Tue, 19 Jan 2016 19:05:21 +0000 Subject: Pullup ticket #4900 - requested by wiz textproc/py-pygments: security fix Revisions pulled up: - textproc/py-pygments/Makefile 1.21-1.22 - textproc/py-pygments/distinfo 1.13 - textproc/py-pygments/patches/patch-img.py 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Sun Jan 17 14:22:11 UTC 2016 Modified Files: pkgsrc/textproc/py-pygments: Makefile distinfo Added Files: pkgsrc/textproc/py-pygments/patches: patch-img.py Log Message: Fix for code-injection vulnerability (CVE-2015-8557) from upstream. From Rin Okuyama in PR 50661. --- Module Name: pkgsrc Committed By: wiz Date: Sun Jan 17 16:03:13 UTC 2016 Modified Files: pkgsrc/textproc/py-pygments: Makefile Log Message: Comment out py-sphinx build dependency since it introduces a cycle. --- textproc/py-pygments/Makefile | 15 ++++---- textproc/py-pygments/distinfo | 3 +- textproc/py-pygments/patches/patch-img.py | 63 +++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 9 deletions(-) create mode 100644 textproc/py-pygments/patches/patch-img.py diff --git a/textproc/py-pygments/Makefile b/textproc/py-pygments/Makefile index 057943fe968..c67f6f58fc7 100644 --- a/textproc/py-pygments/Makefile +++ b/textproc/py-pygments/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $ +# $NetBSD: Makefile,v 1.20.6.1 2016/01/19 19:05:21 bsiegert Exp $ DISTNAME= Pygments-2.0.2 +PKGREVISION= 1 PKGNAME= ${PYPKGPREFIX}-${DISTNAME:tl} CATEGORIES= textproc python MASTER_SITES= http://pypi.python.org/packages/source/P/Pygments/ @@ -10,17 +11,15 @@ HOMEPAGE= http://pygments.org/ COMMENT= Python syntax highlighter LICENSE= 2-clause-bsd +# test dependencies +BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose +# can't depend on sphinx since sphinx depends on pygments +#BUILD_DEPENDS+= ${PYPKGPREFIX}-sphinx-[0-9]*:../../textproc/py-sphinx + USE_LANGUAGES= # none PLIST_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} FILES_SUBST+= PYVERSSUFFIX=${PYVERSSUFFIX} -.include "../../mk/bsd.prefs.mk" - -.if !empty(PKGSRC_RUN_TEST:M[yY][eE][sS]) -BUILD_DEPENDS+= ${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose -TEST_TARGET= test -.endif - post-install: ${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX} diff --git a/textproc/py-pygments/distinfo b/textproc/py-pygments/distinfo index a3ea8d00018..c5822f29515 100644 --- a/textproc/py-pygments/distinfo +++ b/textproc/py-pygments/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.12 2015/11/04 02:00:04 agc Exp $ +$NetBSD: distinfo,v 1.12.2.1 2016/01/19 19:05:21 bsiegert Exp $ SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8 RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8 SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e Size (Pygments-2.0.2.tar.gz) = 3462280 bytes +SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1 diff --git a/textproc/py-pygments/patches/patch-img.py b/textproc/py-pygments/patches/patch-img.py new file mode 100644 index 00000000000..aeeedc89dc3 --- /dev/null +++ b/textproc/py-pygments/patches/patch-img.py @@ -0,0 +1,63 @@ +$NetBSD: patch-img.py,v 1.1.2.2 2016/01/19 19:05:21 bsiegert Exp $ + +Fix for code-injection vulnerability (CVE-2015-8557) from upstream. + +The following patch includes changes made by commits 6b4baae, 0036ab1, +3982887, and 91624f2. Avoid the shell entirely when finding fonts, and +misc bug fixes. + +See more details: +https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py + +--- pygments/formatters/img.py.orig 2016-01-17 02:49:19.000000000 +0900 ++++ pygments/formatters/img.py 2016-01-17 02:49:23.000000000 +0900 +@@ -5,7 +5,7 @@ + + Formatter for Pixmap output. + +- :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS. ++ :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS. + :license: BSD, see LICENSE for details. + """ + +@@ -15,6 +15,8 @@ + from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \ + get_choice_opt, xrange + ++import subprocess ++ + # Import this carefully + try: + from PIL import Image, ImageDraw, ImageFont +@@ -75,16 +77,13 @@ + self._create_nix() + + def _get_nix_font_path(self, name, style): +- try: +- from commands import getstatusoutput +- except ImportError: +- from subprocess import getstatusoutput +- exit, out = getstatusoutput('fc-list "%s:style=%s" file' % +- (name, style)) +- if not exit: +- lines = out.splitlines() ++ proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'], ++ stdout=subprocess.PIPE, stderr=None) ++ stdout, _ = proc.communicate() ++ if proc.returncode == 0: ++ lines = stdout.splitlines() + if lines: +- path = lines[0].strip().strip(':') ++ path = lines[0].decode().strip().strip(':') + return path + + def _create_nix(self): +@@ -197,7 +196,7 @@ + bold and italic fonts will be generated. This really should be a + monospace font to look sane. + +- Default: "Bitstream Vera Sans Mono" ++ Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix + + `font_size` + The font size in points to be used. -- cgit v1.2.3