CVE-2021-20270

NameCVE-2021-20270
DescriptionAn infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2590-1, DLA-2648-1, DSA-4870-1, DSA-4889-1
NVD severitymedium
Debian Bugs984664

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)stretch1:1.27.7-1~deb9u3vulnerable
stretch (security)1:1.27.7-1~deb9u9fixed
buster1:1.31.12-1~deb10u1vulnerable
buster (security)1:1.31.14-1~deb10u1fixed
bullseye, sid1:1.35.2-1fixed
pygments (PTS)stretch2.2.0+dfsg-1vulnerable
stretch (security)2.2.0+dfsg-1+deb9u2fixed
buster2.3.1+dfsg-1+deb10u1fixed
buster (security)2.3.1+dfsg-1+deb10u2fixed
bullseye, sid2.7.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcestretch1:1.27.7-1~deb9u8DLA-2648-1
mediawikisourcebuster1:1.31.14-1~deb10u1DSA-4889-1
mediawikisource(unstable)1:1.35.2-1
pygmentssourcestretch2.2.0+dfsg-1+deb9u1DLA-2590-1
pygmentssourcebuster2.3.1+dfsg-1+deb10u1DSA-4870-1
pygmentssource(unstable)2.7.1+dfsg-2984664

Notes

https://github.com/pygments/pygments/issues/1625
https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333

Search for package or bug name: Reporting problems