CVE-2021-20270

NameCVE-2021-20270
DescriptionAn infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2590-1, DLA-2648-1, DSA-4870-1, DSA-4889-1
Debian Bugs984664

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)buster1:1.31.16-1+deb10u2fixed
buster (security)1:1.31.16-1+deb10u4fixed
bullseye (security), bullseye1:1.35.8-1~deb11u1fixed
bookworm, sid1:1.39.1-2fixed
pygments (PTS)buster, buster (security)2.3.1+dfsg-1+deb10u2fixed
bullseye2.7.1+dfsg-2.1fixed
bookworm, sid2.14.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcestretch1:1.27.7-1~deb9u8DLA-2648-1
mediawikisourcebuster1:1.31.14-1~deb10u1DSA-4889-1
mediawikisource(unstable)1:1.35.2-1
pygmentssourcestretch2.2.0+dfsg-1+deb9u1DLA-2590-1
pygmentssourcebuster2.3.1+dfsg-1+deb10u1DSA-4870-1
pygmentssource(unstable)2.7.1+dfsg-2984664

Notes

https://github.com/pygments/pygments/issues/1625
https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333

Search for package or bug name: Reporting problems