CVE-2021-27291

NameCVE-2021-27291
DescriptionIn pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2600-1, DLA-2648-1, DSA-4878-1, DSA-4889-1
Debian Bugs985574

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)bullseye1:1.35.13-1+deb11u2fixed
bullseye (security)1:1.35.13-1+deb11u3fixed
bookworm1:1.39.7-1~deb12u1fixed
bookworm (security)1:1.39.10-1~deb12u1fixed
sid, trixie1:1.39.10-1fixed
pygments (PTS)bullseye2.7.1+dfsg-2.1fixed
bookworm2.14.0+dfsg-1fixed
sid, trixie2.18.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcestretch1:1.27.7-1~deb9u8DLA-2648-1
mediawikisourcebuster1:1.31.14-1~deb10u1DSA-4889-1
mediawikisource(unstable)1:1.35.2-1
pygmentssourcestretch2.2.0+dfsg-1+deb9u2DLA-2600-1
pygmentssourcebuster2.3.1+dfsg-1+deb10u2DSA-4878-1
pygmentssource(unstable)2.7.1+dfsg-2.1985574

Notes

https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Search for package or bug name: Reporting problems