Main Vulnerability Database SB2016062804

SB2016062804 - OS Command Injection in py-pygments (Alpine package)

Published: June 28, 2016

Security Bulletin ID SB2016062804

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2015-8557)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=fdcd5dc33d1e2d60c9ae85704971c3e9b7893d9b
https://git.alpinelinux.org/aports/commit/?id=5ca8888a38bf0f21418ef9ffa1084917e3711b11
https://git.alpinelinux.org/aports/commit/?id=5cbdb6d57c7bdb8a863bb82f4caeedefe4a09294
https://git.alpinelinux.org/aports/commit/?id=77c394877f06aa34a90863e93055d689aa1b1f9e