1213505 – (CVE-2022-40896) VUL-0: CVE-2022-40896: python-Pygments: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Bug 1213505 (CVE-2022-40896) - VUL-0: CVE-2022-40896: python-Pygments: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.

Summary: VUL-0: CVE-2022-40896: python-Pygments: A ReDoS issue was discovered in pygme...

Status:	RESOLVED INVALID

Alias:	CVE-2022-40896

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Python (show other bugs)
Version:	Leap 15.5
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	Leap 15.5
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/372990/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-40896:5.1:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-20 07:04 UTC by Stoyan Manolov
Modified:	2023-07-21 14:39 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stoyan Manolov 2023-07-20 07:04:47 UTC

CVE-2022-40896

A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through
2.15.0 via SmithyLexer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40896
https://www.cve.org/CVERecord?id=CVE-2022-40896
https://github.com/pygments/pygments/blob/master/pygments/lexers/smithy.py#L61
https://pypi.org/project/Pygments/
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/

Comment 1 John Paul Adrian Glaubitz 2023-07-20 07:32:59 UTC

According to PyUP (https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/), the issue is fixed by three individual commits:

- https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04

- https://github.com/pygments/pygments/pull/2404/commits/ce60712292e5734c44700eba16c0f3af5c298390

- https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194

These patches do not apply as is to the Pygments versions found in SLE-15.