PYSEC-2016-32

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pygments/PYSEC-2016-32.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2016-32

Aliases

CVE-2015-8557
GHSA-fff8-4w9p-7v76

Published

2016-01-08T20:59:00Z

Modified

2023-11-08T03:58:02.518743Z

Summary

[none]

Details

The FontManager.getnixfontpath function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

References

http://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.html
http://www.openwall.com/lists/oss-security/2015/12/14/6
http://seclists.org/fulldisclosure/2015/Oct/4
http://www.ubuntu.com/usn/USN-2862-1
https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diff
http://www.openwall.com/lists/oss-security/2015/12/14/17
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.debian.org/security/2016/dsa-3445
https://security.gentoo.org/glsa/201612-05
https://github.com/advisories/GHSA-fff8-4w9p-7v76

Affected packages

PyPI / pygments

Package

Name: pygments; View open source insights on deps.dev
Purl: pkg:pypi/pygments

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.2

Fixed

2.1

Affected versions

1.*

1.2.2

1.3

1.3.1

1.4

1.5

1.6rc1

1.6

2.*

2.0rc1

2.0

2.0.1

2.0.2

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pygments/PYSEC-2016-32.yaml"