3 changed files with 291 additions and 45 deletions
--- a/SOURCES/CVE-2021-20270-infinite-loop-in-SML-lexer.patch
+++ b/SOURCES/CVE-2021-20270-infinite-loop-in-SML-lexer.patch
@ -0,0 +1,33 @@
+diff --git a/pygments/lexers/ml.py b/pygments/lexers/ml.py
+index f80d5bf..4fd2c58 100644
+--- a/pygments/lexers/ml.py
+++ b/pygments/lexers/ml.py
+@@ -142,7 +142,7 @@ class SMLLexer(RegexLexer):
+             (r'#\s+(%s)' % symbolicid_re, Name.Label),
+             # Some reserved words trigger a special, local lexer state change
+             (r'\b(datatype|abstype)\b(?!\')', Keyword.Reserved, 'dname'),
+-            (r'(?=\b(exception)\b(?!\'))', Text, ('ename')),
+            (r'\b(exception)\b(?!\')', Keyword.Reserved, 'ename'),
+             (r'\b(functor|include|open|signature|structure)\b(?!\')',
+              Keyword.Reserved, 'sname'),
+             (r'\b(type|eqtype)\b(?!\')', Keyword.Reserved, 'tname'),
+@@ -315,15 +315,14 @@ class SMLLexer(RegexLexer):
+         'ename': [
+             include('whitespace'),
+ 
+-            (r'(exception|and)\b(\s+)(%s)' % alphanumid_re,
+            (r'(and\b)(\s+)(%s)' % alphanumid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+-            (r'(exception|and)\b(\s*)(%s)' % symbolicid_re,
+            (r'(and\b)(\s*)(%s)' % symbolicid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+             (r'\b(of)\b(?!\')', Keyword.Reserved),
+            (r'(%s)|(%s)' % (alphanumid_re, symbolicid_re), Name.Class),
+ 
+-            include('breakout'),
+-            include('core'),
+-            (r'\S+', Error),
+            default('#pop'),
+         ],
+ 
+         'datcon': [
--- a/SOURCES/CVE-2021-27291.patch
+++ b/SOURCES/CVE-2021-27291.patch
@ -0,0 +1,140 @@
+From 179281dfed46f26d3fcc76d0600ee6728a7e493c Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Thu, 22 Apr 2021 13:39:00 +0200
+Subject: [PATCH] CVE-2021-27291
+
+---
+ pygments/lexers/archetype.py | 2 +-
+ pygments/lexers/factor.py    | 4 ++--
+ pygments/lexers/jvm.py       | 1 -
+ pygments/lexers/matlab.py    | 6 +++---
+ pygments/lexers/objective.py | 4 ++--
+ pygments/lexers/templates.py | 2 +-
+ pygments/lexers/varnish.py   | 2 +-
+ 7 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py
+index 5d4eb9a..82f3b12 100644
+--- a/pygments/lexers/archetype.py
+++ b/pygments/lexers/archetype.py
+@@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer):
+             (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
+              r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
+             (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
+-            (r'[+-]?(\d+)*\.\d+%?', Number.Float),
+            (r'[+-]?\d*\.\d+%?', Number.Float),
+             (r'0x[0-9a-fA-F]+', Number.Hex),
+             (r'[+-]?\d+%?', Number.Integer),
+         ],
+diff --git a/pygments/lexers/factor.py b/pygments/lexers/factor.py
+index 09d85c2..7eb3993 100644
+--- a/pygments/lexers/factor.py
+++ b/pygments/lexers/factor.py
+@@ -265,7 +265,7 @@ class FactorLexer(RegexLexer):
+             (r'(?:<PRIVATE|PRIVATE>)\s', Keyword.Namespace),
+ 
+             # strings
+-            (r'"""\s+(?:.|\n)*?\s+"""', String),
+            (r'"""\s(?:.|\n)*?\s"""', String),
+             (r'"(?:\\\\|\\"|[^"])*"', String),
+             (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String),
+             (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char),
+@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer):
+         'slots': [
+             (r'\s+', Text),
+             (r';\s', Keyword, '#pop'),
+-            (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)',
+            (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)',
+              bygroups(Text, Name.Variable, Text)),
+             (r'\S+', Name.Variable),
+         ],
+diff --git a/pygments/lexers/jvm.py b/pygments/lexers/jvm.py
+index f439283..668eed7 100644
+--- a/pygments/lexers/jvm.py
+++ b/pygments/lexers/jvm.py
+@@ -963,7 +963,6 @@ class CeylonLexer(RegexLexer):
+             (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'),
+             (r'"(\\\\|\\"|[^"])*"', String),
+             (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char),
+-            (r'".*``.*``.*"', String.Interpol),
+             (r'(\.)([a-z_]\w*)',
+              bygroups(Operator, Name.Attribute)),
+             (r'[a-zA-Z_]\w*:', Name.Label),
+diff --git a/pygments/lexers/matlab.py b/pygments/lexers/matlab.py
+index 56a0f6d..abfb9f0 100644
+--- a/pygments/lexers/matlab.py
+++ b/pygments/lexers/matlab.py
+@@ -124,7 +124,7 @@ class MatlabLexer(RegexLexer):
+             (r'.', Comment.Multiline),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -585,7 +585,7 @@ class OctaveLexer(RegexLexer):
+             (r"[^']*'", String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -653,7 +653,7 @@ class ScilabLexer(RegexLexer):
+             (r'.', String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+diff --git a/pygments/lexers/objective.py b/pygments/lexers/objective.py
+index 7807255..e4b9f1e 100644
+--- a/pygments/lexers/objective.py
+++ b/pygments/lexers/objective.py
+@@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer):
+              'logos_classname'),
+             (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)',
+              bygroups(Keyword, Text, Name.Class)),
+-            (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)',
+            (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)',
+              bygroups(Keyword, Text, Name.Variable, Text, String, Text)),
+             (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation),
+              'function'),
+-            (r'(%new)(\s*)(\()(\s*.*?\s*)(\))',
+            (r'(%new)(\s*)(\()(.*?)(\))',
+              bygroups(Keyword, Text, Keyword, String, Keyword)),
+             (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)),
+             inherit,
+diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
+index 83c57db..066dad7 100644
+--- a/pygments/lexers/templates.py
+++ b/pygments/lexers/templates.py
+@@ -1428,7 +1428,7 @@ class EvoqueLexer(RegexLexer):
+             # see doc for handling first name arg: /directives/evoque/
+             # + minor inconsistency: the "name" in e.g. $overlay{name=site_base}
+             # should be using(PythonLexer), not passed out as String
+-            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?'
+            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?'
+              r'(.*?)((?(4)%)\})',
+              bygroups(Punctuation, Name.Builtin, Punctuation, None,
+                       String, using(PythonLexer), Punctuation)),
+diff --git a/pygments/lexers/varnish.py b/pygments/lexers/varnish.py
+index 4452142..f4c9a88 100644
+--- a/pygments/lexers/varnish.py
+++ b/pygments/lexers/varnish.py
+@@ -61,7 +61,7 @@ class VCLLexer(RegexLexer):
+              bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)),
+             (r'(\.probe)(\s*=\s*)(\{)',
+              bygroups(Name.Attribute, Operator, Punctuation), 'probe'),
+-            (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)',
+            (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)',
+              bygroups(Name.Attribute, Operator, using(this), Punctuation)),
+             (r'\{', Punctuation, '#push'),
+             (r'\}', Punctuation, '#pop'),
+-- 
+2.30.2
+
--- a/SPECS/python-pygments.spec
+++ b/SPECS/python-pygments.spec
@ -1,20 +1,26 @@
+%global debug_package %{nil}
+# python2X and python3X are built form the same module, so we need a conditional
+# for python[23] bits the state of the conditional is not important in the spec,
+# it is set in modulemd
+%bcond_without python2
+%bcond_without python3
+%bcond_with python36_module
+
+%if %{without python3}
+%bcond_with doc
+%else
+%bcond_without doc
+%endif
+
+%bcond_without tests
+
 %global upstream_name Pygments
 %global srcname pygments
 %global sum Syntax highlighting engine written in Python
-%if 0%{?fedora} || 0%{?rhel} > 7
-%global with_python3 1
-%endif
-
-%if 0%{?rhel} > 7
-# Disable python2 build by default
-%bcond_with python2
-%else
-%bcond_without python2
-%endif

 Name:           python-pygments
 Version:        2.2.0
-Release:        12%{?dist}
+Release:        22%{?dist}
 Summary:        %{sum}

 License:        BSD
@ -23,6 +29,19 @@ Source0:        https://pypi.org/packages/source/P/%{upstream_name}/%{upstream_n
 Patch0:         import-directive.patch
 BuildArch:      noarch

+# Fix CVE-2021-20270: infinite loop in SML lexer which may lead to DoS
+# Resolved upstream: https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333
+Patch1:         CVE-2021-20270-infinite-loop-in-SML-lexer.patch
+
+# CVE-2021-27291: ReDos via crafted malicious input
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27291
+# Upstream fix: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
+Patch2:         CVE-2021-27291.patch
+
+%if %{with python3}
+BuildRequires:  python3-sphinx
+%endif
+
 %description
 Pygments is a generic syntax highlighter for general use in all kinds
 of software such as forum systems, wikis or other applications that
@ -38,10 +57,12 @@ need to prettify source code. Highlights are:
  * it is usable as a command-line tool and as a library
  * ... and it highlights even Brainf*ck!

+
 %if %{with python2}
 %package -n python2-%{srcname}
-BuildRequires:  python%{?fedora:2}-devel >= 2.4, python%{?fedora:2}-setuptools
-BuildRequires:  python%{?fedora:2}-nose, python%{?fedora:2}-sphinx
+BuildRequires:  python2-devel >= 2.4
+BuildRequires:  python2-setuptools
+BuildRequires:  python2-nose
 Summary:        %{sum}
 %{?python_provide:%python_provide python2-%{srcname}}

@ -59,11 +80,18 @@ need to prettify source code. Highlights are:
    LaTeX and ANSI sequences
  * it is usable as a command-line tool and as a library
  * ... and it highlights even Brainf*ck!
-%endif # with python2
+%endif

-%if 0%{?with_python3}
+
+%if %{with python3}
 %package -n python3-%{srcname}
-BuildRequires:  python3-devel, python3-setuptools, python3-nose, python3-sphinx
+%if %{with python36_module}
+BuildRequires:  python36-devel
+BuildRequires:  python36-rpm-macros
+%else
+BuildRequires:  python3-devel
+%endif
+BuildRequires:  python3-setuptools, python3-nose
 Summary:        %{sum}
 %{?python_provide:%python_provide python3-%{srcname}}

@ -86,67 +114,112 @@ need to prettify source code. Highlights are:
 %prep
 %setup -q -n %{upstream_name}-%{version}
 %patch0 -p 1
+%patch1 -p1
+%patch2 -p1

 %build
 %{__sed} -i 's/\r//' LICENSE
-%if %{with python2}
-%py2_build
-%endif # with python2
-
-%if 0%{?with_python3}
-%py3_build
-%endif
+%{?with_python2:%py2_build}
+%{?with_python3:%py3_build}
+%{?with_doc:%{__python3} setup.py build_sphinx}

 %install
 # Python 2 install
 # NOTE: sphinx is built on Python 3 and packages with python2 and python3
 %if %{with python2}
 %py2_install
-%endif # with python2
+mv %{buildroot}%{_bindir}/pygmentize{,-%{python2_version}}
+ln -s pygmentize-%{python2_version} %{buildroot}%{_bindir}/pygmentize-2
+%endif

-%{__python3} setup.py build_sphinx
+%if %{with doc}
 pushd doc
 install -d %{buildroot}%{_mandir}/man1
 mv pygmentize.1 $RPM_BUILD_ROOT%{_mandir}/man1/pygmentize.1
 popd
 cp -r doc/docs doc/reST
+%endif

-%if 0%{?with_python3}
-# Python 3 install
+%if %{with python3}
 %py3_install
+cp %{buildroot}%{_bindir}/pygmentize{,-%{python3_version}}
+ln -s pygmentize-%{python3_version} %{buildroot}%{_bindir}/pygmentize-3
 %endif

 %check
-%if %{with python2}
-PYTHON=%{__python2} make test
-%endif # with python2
-PYTHON=%{__python3} make test
+%if %{with tests}
+%{?with_python2:make test PYTHON=%{__python2}}
+%{?with_python3:make test PYTHON=%{__python3}}
+%endif

 %if %{with python2}
 %files -n python2-pygments
-%doc AUTHORS CHANGES build/sphinx/html doc/reST TODO
-%license LICENSE
-# For noarch packages: sitelib
-%{python2_sitelib}/*
-# Fix build on EL7
-%if !0%{?fedora} && 0%{?rhel} <= 7
-%{_bindir}/pygmentize
+%doc AUTHORS CHANGES TODO
+%if %{with doc}
+%doc build/sphinx/html doc/reST
 %lang(en) %{_mandir}/man1/pygmentize.1*
 %endif
-%endif # with python2
+%license LICENSE
+%{python2_sitelib}/*
+%{_bindir}/pygmentize-2
+%{_bindir}/pygmentize-%{python2_version}
+%endif

-%if 0%{?with_python3}
+%if %{with python3}
 %files -n python3-pygments
-%doc AUTHORS CHANGES build/sphinx/html doc/reST TODO
+%doc AUTHORS CHANGES TODO
+%if %{with doc}
+%doc build/sphinx/html doc/reST
+%lang(en) %{_mandir}/man1/pygmentize.1*
+%endif
 %license LICENSE
 %{python3_sitelib}/*
 %{_bindir}/pygmentize
-%lang(en) %{_mandir}/man1/pygmentize.1*
+%{_bindir}/pygmentize-3
+%{_bindir}/pygmentize-%{python3_version}
 %endif

 %changelog
-* Thu Jun 14 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.2.0-12
- Conditionalize the python2 subpackage
+* Thu Apr 22 2021 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-22
+- Fix CVE-2021-27291: ReDos via crafted malicious input
+Resolves: rhbz#1943459 rhbz#1943460
+
+* Wed Mar 03 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.2.0-21
+- Fix CVE-2021-20270: infinite loop in SML lexer which may lead to DoS
+Resolves: rhbz#1933876
+
+* Thu Apr 25 2019 Tomas Orsava <torsava@redhat.com> - 2.2.0-20
+- Bumping due to problems with modular RPM upgrade path
+- Resolves: rhbz#1695587
+
+* Mon Sep 17 2018 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-19
+- Get rid of unversioned Python dependencies
+- Resolves: rhbz#1628242
+
+* Wed Aug 08 2018 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-18
+- Remove unversioned binaries from python2 subpackage
+- Resolves: rhbz#1613343
+
+* Wed Aug 01 2018 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-17
+- Specfile cleanup
+- Condition for tests
+- Condition for doc
+
+* Tue Jul 31 2018 Lumír Balhar <lbalhar@redhat.com> - 2.2.0-16
+- Switch python3 coditions to bcond
+
+* Wed Jul 18 2018 Tomas Orsava <torsava@redhat.com> - 2.2.0-15
+- BuildRequire also python36-rpm-macros as part of the python36 module build
+
+* Wed Jul 04 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.0-14
+- Add a bcond for python2
+- Fix the test invocation
+
+* Thu Jun 14 2018 Tomas Orsava <torsava@redhat.com> - 2.2.0-13
+- Switch to using Python 3 version of sphinx
+
+* Mon Apr 30 2018 Tomas Orsava <torsava@redhat.com> - 2.2.0-12
+- Require the python36-devel package when building for the python36 module

 * Mon Mar 19 2018 Steve Milner <smilner@redhat.com> - 2.2.0-11
 - Added import-directive.patch to work around a change in sphinx.