mirror of
https://git.yoctoproject.org/git/poky
synced 2026-01-01 13:58:04 +00:00
b402c3ac78
CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ 1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version. Commit:dd52102c38Hence, backported the patch as CVE-2022-40896.patch. 2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version. Commit:97eb3d5ec7Actually, this code doesn't exist in 2.11.2 version and it has been introduce by python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version. SQL+Jinja lexers is introduced by:0bdbd5992b3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version. Commit:fdf182a7afActually, this code also doesn't exist in 2.11.2 version as the code has been modified in python3-pygments 2.14.0 by:a38cb38e93Hence, this is also not vulnerable for 2.11.2 version. (From OE-Core rev: ebb224e65a7e1402ccf0d9517bd72748c18e012e) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
22 lines
567 B
BlitzBasic
22 lines
567 B
BlitzBasic
SUMMARY = "Pygments is a syntax highlighting package written in Python."
|
|
DESCRIPTION = "Pygments is a syntax highlighting package written in Python."
|
|
HOMEPAGE = "http://pygments.org/"
|
|
LICENSE = "BSD-2-Clause"
|
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc"
|
|
|
|
inherit setuptools3
|
|
SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"
|
|
|
|
SRC_URI += "file://CVE-2022-40896.patch"
|
|
|
|
DEPENDS += "\
|
|
${PYTHON_PN} \
|
|
"
|
|
|
|
PYPI_PACKAGE = "Pygments"
|
|
|
|
inherit pypi
|
|
|
|
BBCLASSEXTEND = "native nativesdk"
|
|
|