[mickledore,02/20] python3-pygments: fix for CVE-2022-40896

Message ID	5a02307af5e593be864423a9f3ab309703d61dbf.1693417541.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.170, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 02/20] python3-pygments: fix for CVE-2022-40896 Date: Wed, 30 Aug 2023 07:48:06 -1000 Message-Id: <5a02307af5e593be864423a9f3ab309703d61dbf.1693417541.git.steve@sakoman.com> In-Reply-To: <cover.1693417541.git.steve@sakoman.com> References: <cover.1693417541.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[mickledore,01/20] inetutils: fix CVE-2023-40303 \| expand [mickledore,01/20] inetutils: fix CVE-2023-40303 [mickledore,02/20] python3-pygments: fix for CVE-2022-40896 [mickledore,03/20] procps: backport fix for CVE-2023-4016 [mickledore,04/20] tar: upgrade 1.34 -> 1.35 [mickledore,05/20] gstreamer1.0: upgrade 1.22.4 -> 1.22.5 [mickledore,06/20] linux-yocto/6.1: update to v6.1.41 [mickledore,07/20] linux-yocto/6.1: update to v6.1.43 [mickledore,08/20] linux-yocto/6.1: update to v6.1.44 [mickledore,09/20] linux-yocto/6.1: update to v6.1.45 [mickledore,10/20] linux-yocto/6.1: fix uninitialized read in nohz_full/isolcpus setup [mickledore,11/20] linux-yocto/6.1: update to v6.1.46 [mickledore,12/20] linux-yocto/6.1: fix IRQ-80 warnings [mickledore,13/20] graphene: fix runtime detection of IEEE754 behaviour [mickledore,14/20] build-sysroots: Add SUMMARY field [mickledore,15/20] pixman: Remove duplication of license MIT [mickledore,16/20] tcl: prevent installing another copy of tzdata [mickledore,17/20] wic: fix wrong attempt to create file system in upartitioned regions [mickledore,18/20] mdadm: skip running 04update-uuid and 07revert-inplace testcases [mickledore,19/20] build-sysroots: Ensure dependency chains are minimal [mickledore,20/20] vim: update obsolete comment

diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch new file mode 100644 index 0000000000..d7fc87fec8 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0001.patch @@ -0,0 +1,49 @@ +From 9a73f2a80e5cf869d473ddcbfceaab229fb99b5e Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 28 Aug 2023 15:04:14 +0000 +Subject: [PATCH] SQL+Jinja: use a simpler regex in analyse_text + +Fixes catastrophic backtracking + +Fixes #2355 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGES | 1 + + pygments/lexers/templates.py | 6 +----- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 2aa54fa..4c84fa6 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -61,6 +61,7 @@ Version 2.14.0 + * Spice: Add ``enum`` keyword and fix a bug regarding binary, + hexadecimal and octal number tokens (#2227) + * YAML: Accept colons in key names (#2277) ++ * SQL+Jinja (``analyse_text`` method): fix catastrophic backtracking [Backported] + + - Fix `make mapfiles` when Pygments is not installed in editable mode + (#2223) +diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py +index 1fcf708..1066294 100644 +--- a/pygments/lexers/templates.py ++++ b/pygments/lexers/templates.py +@@ -2291,10 +2291,6 @@ class SqlJinjaLexer(DelegatingLexer): + if re.search(r'\{\{\s*source$.*$\s*\}\}', text): + rv += 0.25 + # Jinja macro +- if re.search( +- r'\{%-?\s*macro \w+$.*$\s*-?%\}\s+.*\s+\{%-?\s*endmacro\s*-?%\}', +- text, +- re.S, +- ): ++ if re.search(r'\{%-?\s*macro \w+$.*$\s*-?%\}', text): + rv += 0.15 + return rv +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch new file mode 100644 index 0000000000..61ebe5dad5 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896-0002.patch @@ -0,0 +1,301 @@ +From 45ff8eabe0363f829c397372aefc3b23aeb135b3 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Tue, 29 Aug 2023 10:45:34 +0000 +Subject: [PATCH] Improve Java properties lexer (#2404) + +Use special lexer rules for escapes; fixes catastrophic backtracking, +and highlights them too. + +Fixes #2356 + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + pygments/lexers/configs.py | 50 +++++--- + tests/examplefiles/properties/java.properties | 11 ++ + .../properties/java.properties.output | 110 +++++++++++++++--- + .../test_escaped_space_in_value.txt | 4 +- + .../properties/test_just_key_with_space.txt | 4 +- + 5 files changed, 143 insertions(+), 36 deletions(-) + +diff --git a/pygments/lexers/configs.py b/pygments/lexers/configs.py +index e04c722..b28b56a 100644 +--- a/pygments/lexers/configs.py ++++ b/pygments/lexers/configs.py +@@ -129,26 +129,42 @@ class PropertiesLexer(RegexLexer): + + tokens = { + 'root': [ +- (r'\s+', Whitespace), ++ # comments + (r'[!#].*|/{2}.*', Comment.Single), +- # search for first separator +- (r'([^\\\n]|\\.)*?(?=[ \f\t=:])', Name.Attribute, "separator"), +- # empty key +- (r'.+?$', Name.Attribute), ++ # ending a comment or whitespace-only line ++ (r'\n', Whitespace), ++ # eat whitespace at the beginning of a line ++ (r'^[^\S\n]+', Whitespace), ++ # start lexing a key ++ default('key'), + ], +- 'separator': [ +- # search for line continuation escape +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)$', +- bygroups(Whitespace, Operator, Whitespace, String, Text), "value", "#pop"), +- (r'([ \f\t]*)([=:]*)([ \f\t]*)(.*)', +- bygroups(Whitespace, Operator, Whitespace, String), "#pop"), ++ 'key': [ ++ # non-escaped key characters ++ (r'[^\\:=\s]+', Name.Attribute), ++ # escapes ++ include('escapes'), ++ # separator is the first non-escaped whitespace or colon or '=' on the line; ++ # if it's whitespace, = and : are gobbled after it ++ (r'([^\S\n]*)([:=])([^\S\n]*)', ++ bygroups(Whitespace, Operator, Whitespace), ++ ('#pop', 'value')), ++ (r'[^\S\n]+', Whitespace, ('#pop', 'value')), ++ # maybe we got no value after all ++ (r'\n', Whitespace, '#pop'), + ], +- 'value': [ # line continuation +- (r'\s+', Whitespace), +- # search for line continuation escape +- (r'(\s*)(.*(?<!\\)(?:\\{2})*)(\\)(?!\\)([ \t]*)', +- bygroups(Whitespace, String, Text, Whitespace)), +- (r'.*$', String, "#pop"), ++ 'value': [ ++ # non-escaped value characters ++ (r'[^\\\n]+', String), ++ # escapes ++ include('escapes'), ++ # end the value on an unescaped newline ++ (r'\n', Whitespace, '#pop'), ++ ], ++ 'escapes': [ ++ # line continuations; these gobble whitespace at the beginning of the next line ++ (r'(\\\n)([^\S\n]*)', bygroups(String.Escape, Whitespace)), ++ # other escapes ++ (r'\\(.|\n)', String.Escape), + ], + } + +diff --git a/tests/examplefiles/properties/java.properties b/tests/examplefiles/properties/java.properties +index d5b594e..7fe915c 100644 +--- a/tests/examplefiles/properties/java.properties ++++ b/tests/examplefiles/properties/java.properties +@@ -14,6 +14,8 @@ key = \ + and value2\\ + key\ 2 = value + key\\ 3 = value3 ++key \ ++ = value + + ! empty keys and edge cases + key1 = +@@ -22,3 +24,12 @@ key3 the value3 + key4 the:value4 + key5 the=value5 + key6=the value6 ++ ++! escapes in keys ++key\ with\ spaces = value ++key\nwith\nnewlines = value\nwith\nnewlines ++ ++ ! indented comment ++ ++! line continuations do \ ++not = work for comments +diff --git a/tests/examplefiles/properties/java.properties.output b/tests/examplefiles/properties/java.properties.output +index 0c1fdee..4822575 100644 +--- a/tests/examplefiles/properties/java.properties.output ++++ b/tests/examplefiles/properties/java.properties.output +@@ -2,13 +2,17 @@ + '\n' Text.Whitespace + + '# mixing spaces' Comment.Single +-'\n\t' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\t' Text.Whitespace + 'Truth' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'Beauty' Literal.String +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'Truth' Name.Attribute + ':' Operator + 'Beauty' Literal.String +@@ -23,18 +27,24 @@ + ' ' Text.Whitespace + ':' Operator + 'Beauty' Literal.String +-'\n \n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! line continuations and escapes' Comment.Single +-'\n ' Text.Whitespace ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace + 'fruits' Name.Attribute + ' ' Text.Whitespace + 'apple, banana, pear, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'cantaloupe, watermelon, ' Literal.String +-'\\' Text +-'\n ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace + 'kiwi, mango' Literal.String + '\n' Text.Whitespace + +@@ -42,25 +52,42 @@ + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'\\' Text +-'\n ' Text.Whitespace +-'value1 \\\\' Literal.String +-'\\' Text +-'\n ' Text.Whitespace +-'and value2\\\\' Literal.String ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'value1 ' Literal.String ++'\\\\' Literal.String.Escape ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'and value2' Literal.String ++'\\\\' Literal.String.Escape + '\n' Text.Whitespace + +-'key\\ 2' Name.Attribute ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'2' Name.Attribute + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace + 'value' Literal.String + '\n' Text.Whitespace + +-'key\\\\' Name.Attribute ++'key' Name.Attribute ++'\\\\' Literal.String.Escape + ' ' Text.Whitespace + '3 = value3' Literal.String +-'\n\n' Text.Whitespace ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++' ' Text.Whitespace ++'\\\n' Literal.String.Escape ++ ++' ' Text.Whitespace ++'= value' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace + + '! empty keys and edge cases' Comment.Single + '\n' Text.Whitespace +@@ -92,3 +119,52 @@ + '=' Operator + 'the value6' Literal.String + '\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! escapes in keys' Comment.Single ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\ ' Literal.String.Escape ++'with' Name.Attribute ++'\\ ' Literal.String.Escape ++'spaces' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\n' Text.Whitespace ++ ++'key' Name.Attribute ++'\\n' Literal.String.Escape ++'with' Name.Attribute ++'\\n' Literal.String.Escape ++'newlines' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'value' Literal.String ++'\\n' Literal.String.Escape ++'with' Literal.String ++'\\n' Literal.String.Escape ++'newlines' Literal.String ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++' ' Text.Whitespace ++'! indented comment' Comment.Single ++'\n' Text.Whitespace ++ ++'\n' Text.Whitespace ++ ++'! line continuations do \\' Comment.Single ++'\n' Text.Whitespace ++ ++'not' Name.Attribute ++' ' Text.Whitespace ++'=' Operator ++' ' Text.Whitespace ++'work for comments' Literal.String ++'\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_escaped_space_in_value.txt b/tests/snippets/properties/test_escaped_space_in_value.txt +index f76507f..44772d8 100644 +--- a/tests/snippets/properties/test_escaped_space_in_value.txt ++++ b/tests/snippets/properties/test_escaped_space_in_value.txt +@@ -6,5 +6,7 @@ key = doubleword\ value + ' ' Text.Whitespace + '=' Operator + ' ' Text.Whitespace +-'doubleword\\ value' Literal.String ++'doubleword' Literal.String ++'\\ ' Literal.String.Escape ++'value' Literal.String + '\n' Text.Whitespace +diff --git a/tests/snippets/properties/test_just_key_with_space.txt b/tests/snippets/properties/test_just_key_with_space.txt +index 660c37c..833fe40 100644 +--- a/tests/snippets/properties/test_just_key_with_space.txt ++++ b/tests/snippets/properties/test_just_key_with_space.txt +@@ -2,5 +2,7 @@ + just\ key + + ---tokens--- +-'just\\ key' Name.Attribute ++'just' Name.Attribute ++'\\ ' Literal.String.Escape ++'key' Name.Attribute + '\n' Text.Whitespace +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb b/meta/recipes-devtools/python/python3-pygments_2.14.0.bb index 16769e9263..b5b8abc113 100644 --- a/meta/recipes-devtools/python/python3-pygments_2.14.0.bb +++ b/meta/recipes-devtools/python/python3-pygments_2.14.0.bb @@ -7,6 +7,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=36a13c90514e2899f1eba7f41c3ee592" inherit setuptools3 SRC_URI[sha256sum] = "b3ed06a9e8ac9a9aae5a6f5dbe78a8a58655d17b43b93c078f094ddc476ae297" +SRC_URI += "file://CVE-2022-40896-0001.patch \ + file://CVE-2022-40896-0002.patch \ + " + DEPENDS += "\ ${PYTHON_PN} \ "

[mickledore,02/20] python3-pygments: fix for CVE-2022-40896

Commit Message

Patch