[3.4] py-pygments: Shell injection in FontManager._get_nix_font_path (CVE-2015-8557)
The FontManager._get_nix_font_path function in formatters/img.py in
Pygments 1.2.2 through 2.0.2 allows
remote attackers to execute arbitrary commands via shell metacharacters
in a font name.
References:
http://seclists.org/fulldisclosure/2015/Oct/4
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557
Patch:
https://bitbucket.org/birkenfeld/pygments-main/commits/6b4baae517b6aaff7142e66f1dbadf7b9b871f61/raw/
(from redmine: issue id 5816, created on 2016-06-28, closed on 2016-07-07)
- Relations:
- parent #5814 (closed)
- Changesets:
- Revision 5ca8888a by Natanael Copa on 2016-06-28T11:59:13Z:
main/py-pygments: security fix for CVE-2015-8557
fixes #5816