diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-06-28 11:57:15 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-06-28 13:59:13 +0200 |
| commit | 5ca8888a38bf0f21418ef9ffa1084917e3711b11 (patch) | |
| tree | bbc6926fbc8dbb70ffb2d4f599499264349ad0d9 | |
| parent | 1cf62091fe21e98a205bb9906bb444b620c4cce0 (diff) | |
main/py-pygments: security fix for CVE-2015-8557
fixes #5816
| -rw-r--r-- | main/py-pygments/APKBUILD | 19 | ||||
| -rw-r--r-- | main/py-pygments/CVE-2015-8557.patch | 29 |
2 files changed, 43 insertions, 5 deletions
diff --git a/main/py-pygments/APKBUILD b/main/py-pygments/APKBUILD index 056f824f302..c116fa6ebcf 100644 --- a/main/py-pygments/APKBUILD +++ b/main/py-pygments/APKBUILD @@ -12,13 +12,19 @@ depends="python py-setuptools" makedepends="" install="" subpackages="$pkgname-doc" -source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2015-8557.patch + " _builddir="$srcdir"/$_pkgname-$pkgver prepare() { cd "$_builddir" - # apply patches here + for i in $source; do + case "$i" in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done } build() { @@ -57,6 +63,9 @@ doc() { default_doc } -md5sums="238587a1370d62405edabd0794b3ec4a Pygments-2.0.2.tar.gz" -sha256sums="7320919084e6dac8f4540638a46447a3bd730fca172afc17d2c03eed22cf4f51 Pygments-2.0.2.tar.gz" -sha512sums="b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e Pygments-2.0.2.tar.gz" +md5sums="238587a1370d62405edabd0794b3ec4a Pygments-2.0.2.tar.gz +3e5190427dd4ac1a52f27c1f7d1b1d90 CVE-2015-8557.patch" +sha256sums="7320919084e6dac8f4540638a46447a3bd730fca172afc17d2c03eed22cf4f51 Pygments-2.0.2.tar.gz +c56bc3b911ece2d79bb1b7dd4d952d0139216161a0f7f95ff6143daccd24daf6 CVE-2015-8557.patch" +sha512sums="b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e Pygments-2.0.2.tar.gz +14d0fe27195cae53dd6b998fd05c32938078bf4de0845ce388b22729e5633e5f810b738ce672de0d023099b54ac7ca44ab4273d46313e2e30138a2fb023e5add CVE-2015-8557.patch" diff --git a/main/py-pygments/CVE-2015-8557.patch b/main/py-pygments/CVE-2015-8557.patch new file mode 100644 index 00000000000..0a23adce330 --- /dev/null +++ b/main/py-pygments/CVE-2015-8557.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User Javantea <jvoss@altsci.com> +# Date 1443460403 25200 +# Node ID 6b4baae517b6aaff7142e66f1dbadf7b9b871f61 +# Parent 655dbebddc23943b8047b3c139c51c22ef18fd91 +Fix Shell Injection in FontManager._get_nix_font_path + +diff --git a/pygments/formatters/img.py b/pygments/formatters/img.py +--- a/pygments/formatters/img.py ++++ b/pygments/formatters/img.py +@@ -10,6 +10,7 @@ + """ + + import sys ++import shlex + + from pygments.formatter import Formatter + from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \ +@@ -79,8 +80,8 @@ + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput +- exit, out = getstatusoutput('fc-list "%s:style=%s" file' % +- (name, style)) ++ exit, out = getstatusoutput('fc-list %s file' % ++ shlex.quote("%s:style=%s" % (name, style))) + if not exit: + lines = out.splitlines() + if lines: |