CVE-2021-27291

NameCVE-2021-27291
DescriptionIn pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2600-1, DSA-4878-1, DSA-4889-1
NVD severitymedium
Debian Bugs985574

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)stretch1:1.27.7-1~deb9u3vulnerable
stretch (security)1:1.27.7-1~deb9u7vulnerable
buster1:1.31.12-1~deb10u1vulnerable
buster (security)1:1.31.14-1~deb10u1fixed
bullseye, sid1:1.35.2-1fixed
pygments (PTS)stretch2.2.0+dfsg-1vulnerable
stretch (security)2.2.0+dfsg-1+deb9u2fixed
buster2.3.1+dfsg-1+deb10u1vulnerable
buster (security)2.3.1+dfsg-1+deb10u2fixed
bullseye, sid2.7.1+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcebuster1:1.31.14-1~deb10u1DSA-4889-1
mediawikisource(unstable)1:1.35.2-1
pygmentssourcestretch2.2.0+dfsg-1+deb9u2DLA-2600-1
pygmentssourcebuster2.3.1+dfsg-1+deb10u2DSA-4878-1
pygmentssource(unstable)(unfixed)985574

Notes

https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Search for package or bug name: Reporting problems