import python-pygments-2.2.0-22.module+el8.5.0+10788+a4cea9e0

SOURCES/CVE-2021-27291.patch

@@ -0,0 +1,140 @@
+From 179281dfed46f26d3fcc76d0600ee6728a7e493c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 22 Apr 2021 13:39:00 +0200
+Subject: [PATCH] CVE-2021-27291
+
+---
+ pygments/lexers/archetype.py | 2 +-
+ pygments/lexers/factor.py    | 4 ++--
+ pygments/lexers/jvm.py       | 1 -
+ pygments/lexers/matlab.py    | 6 +++---
+ pygments/lexers/objective.py | 4 ++--
+ pygments/lexers/templates.py | 2 +-
+ pygments/lexers/varnish.py   | 2 +-
+ 7 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py
+index 5d4eb9a..82f3b12 100644
+--- a/pygments/lexers/archetype.py
++++ b/pygments/lexers/archetype.py
+@@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer):
+             (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
+              r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
+             (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
+-            (r'[+-]?(\d+)*\.\d+%?', Number.Float),
++            (r'[+-]?\d*\.\d+%?', Number.Float),
+             (r'0x[0-9a-fA-F]+', Number.Hex),
+             (r'[+-]?\d+%?', Number.Integer),
+         ],
+diff --git a/pygments/lexers/factor.py b/pygments/lexers/factor.py
+index 09d85c2..7eb3993 100644
+--- a/pygments/lexers/factor.py
++++ b/pygments/lexers/factor.py
+@@ -265,7 +265,7 @@ class FactorLexer(RegexLexer):
+             (r'(?:<PRIVATE|PRIVATE>)\s', Keyword.Namespace),
+ 
+             # strings
+-            (r'"""\s+(?:.|\n)*?\s+"""', String),
++            (r'"""\s(?:.|\n)*?\s"""', String),
+             (r'"(?:\\\\|\\"|[^"])*"', String),
+             (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String),
+             (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char),
+@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer):
+         'slots': [
+             (r'\s+', Text),
+             (r';\s', Keyword, '#pop'),
+-            (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)',
++            (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)',
+              bygroups(Text, Name.Variable, Text)),
+             (r'\S+', Name.Variable),
+         ],
+diff --git a/pygments/lexers/jvm.py b/pygments/lexers/jvm.py
+index f439283..668eed7 100644
+--- a/pygments/lexers/jvm.py
++++ b/pygments/lexers/jvm.py
+@@ -963,7 +963,6 @@ class CeylonLexer(RegexLexer):
+             (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'),
+             (r'"(\\\\|\\"|[^"])*"', String),
+             (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char),
+-            (r'".*``.*``.*"', String.Interpol),
+             (r'(\.)([a-z_]\w*)',
+              bygroups(Operator, Name.Attribute)),
+             (r'[a-zA-Z_]\w*:', Name.Label),
+diff --git a/pygments/lexers/matlab.py b/pygments/lexers/matlab.py
+index 56a0f6d..abfb9f0 100644
+--- a/pygments/lexers/matlab.py
++++ b/pygments/lexers/matlab.py
+@@ -124,7 +124,7 @@ class MatlabLexer(RegexLexer):
+             (r'.', Comment.Multiline),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -585,7 +585,7 @@ class OctaveLexer(RegexLexer):
+             (r"[^']*'", String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -653,7 +653,7 @@ class ScilabLexer(RegexLexer):
+             (r'.', String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+diff --git a/pygments/lexers/objective.py b/pygments/lexers/objective.py
+index 7807255..e4b9f1e 100644
+--- a/pygments/lexers/objective.py
++++ b/pygments/lexers/objective.py
+@@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer):
+              'logos_classname'),
+             (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)',
+              bygroups(Keyword, Text, Name.Class)),
+-            (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)',
++            (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)',
+              bygroups(Keyword, Text, Name.Variable, Text, String, Text)),
+             (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation),
+              'function'),
+-            (r'(%new)(\s*)(\()(\s*.*?\s*)(\))',
++            (r'(%new)(\s*)(\()(.*?)(\))',
+              bygroups(Keyword, Text, Keyword, String, Keyword)),
+             (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)),
+             inherit,
+diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
+index 83c57db..066dad7 100644
+--- a/pygments/lexers/templates.py
++++ b/pygments/lexers/templates.py
+@@ -1428,7 +1428,7 @@ class EvoqueLexer(RegexLexer):
+             # see doc for handling first name arg: /directives/evoque/
+             # + minor inconsistency: the "name" in e.g. $overlay{name=site_base}
+             # should be using(PythonLexer), not passed out as String
+-            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?'
++            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?'
+              r'(.*?)((?(4)%)\})',
+              bygroups(Punctuation, Name.Builtin, Punctuation, None,
+                       String, using(PythonLexer), Punctuation)),
+diff --git a/pygments/lexers/varnish.py b/pygments/lexers/varnish.py
+index 4452142..f4c9a88 100644
+--- a/pygments/lexers/varnish.py
++++ b/pygments/lexers/varnish.py
+@@ -61,7 +61,7 @@ class VCLLexer(RegexLexer):
+              bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)),
+             (r'(\.probe)(\s*=\s*)(\{)',
+              bygroups(Name.Attribute, Operator, Punctuation), 'probe'),
+-            (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)',
++            (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)',
+              bygroups(Name.Attribute, Operator, using(this), Punctuation)),
+             (r'\{', Punctuation, '#push'),
+             (r'\}', Punctuation, '#pop'),
+-- 
+2.30.2
+

SPECS/python-pygments.spec

@@ -20,7 +20,7 @@
 
 Name:           python-pygments
 Version:        2.2.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 Summary:        %{sum}
 
 License:        BSD
@@ -33,6 +33,11 @@ BuildArch:      noarch
 # Resolved upstream: https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333
 Patch1:         CVE-2021-20270-infinite-loop-in-SML-lexer.patch
 
+# CVE-2021-27291: ReDos via crafted malicious input
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27291
+# Upstream fix: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
+Patch2:         CVE-2021-27291.patch
+
 %if %{with python3}
 BuildRequires:  python3-sphinx
 %endif
@@ -110,6 +115,7 @@ need to prettify source code. Highlights are:
 %setup -q -n %{upstream_name}-%{version}
 %patch0 -p 1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %{__sed} -i 's/\r//' LICENSE
@@ -174,6 +180,10 @@ ln -s pygmentize-%{python3_version} %{buildroot}%{_bindir}/pygmentize-3
 %endif
 
 %changelog
+* Thu Apr 22 2021 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-22
+- Fix CVE-2021-27291: ReDos via crafted malicious input
+Resolves: rhbz#1943459 rhbz#1943460
+
 * Wed Mar 03 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.2.0-21
 - Fix CVE-2021-20270: infinite loop in SML lexer which may lead to DoS
 Resolves: rhbz#1933876