python3-pygments: Fix CVE-2022-40896
CVE-2022-40896:
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by 3 different commits between the releases 2.14.0
(for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java
properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/
dd52102c38ebe78cd57748e09f38929fd283ad04
Hence, backported the patch as CVE-2022-40896.patch.
2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/
97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194
Actually, this code doesn't exist in 2.11.2 version and it has been introduce by
python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version.
SQL+Jinja lexers is introduced by: https://github.com/pygments/pygments/commit/
0bdbd5992baca32d18e01f0ec65337e06abf9456
3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version.
Commit: https://github.com/pygments/pygments/commit/
fdf182a7af85b1deeeb637ca970d31935e7c9d52
Actually, this code also doesn't exist in 2.11.2 version as the code has been modified
in python3-pygments 2.14.0 by: https://github.com/pygments/pygments/commit/
a38cb38e93c9635240b3ae89d78d38cf182745da
Hence, this is also not vulnerable for 2.11.2 version.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
projects / thirdparty / openembedded / openembedded-core.git / commit
