|
|
Subscribe / Log in / New account

Mageia alert MGASA-2015-0478 (python-pygments)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2015-0478: Updated python-pygments packages fix security vulnerability 


Date:
    	      Thu, 17 Dec 2015 21:19:53 +0100


Message-ID:
    	      <20151217201954.01087208C77@valstar.mageia.org>


MGASA-2015-0478 - Updated python-pygments packages fix security vulnerability

Publication date: 17 Dec 2015
URL: http://advisories.mageia.org/MGASA-2015-0478.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2015-8557

Description:
An unsafe use of string concatenation in a shell string occurs in FontManager.
If the developer allows the attacker to choose the font and outputs an image,
the attacker can execute any shell command on the remote system. The name
variable injected comes from the constructor of FontManager, which is invoked
by ImageFormatter from options (CVE-2015-8557, rhbz#1276321).

References:
- https://bugs.mageia.org/show_bug.cgi?id=17331
- http://openwall.com/lists/oss-security/2015/12/14/6
- https://bugzilla.redhat.com/show_bug.cgi?id=1276321
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8557

SRPMS:
- 5/core/python-pygments-1.6-9.1.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds