Pygments: Arbitrary code execution

2016-12-04T00:00:00
ID GLSA-201612-05
Type gentoo
Reporter Gentoo Foundation
Modified 2016-12-04T00:00:00

Description

Background

Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code.

Description

A vulnerability in FontManager’s _get_nix_font_path function allows shell metacharacters to be passed in a font name.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All Pygments users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-python/pygments-2.0.2-r1"