Advisories » MGASA-2015-0478

Updated python-pygments packages fix security vulnerability

Publication date: 17 Dec 2015
Modification date: 17 Dec 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-8557

Description

An unsafe use of string concatenation in a shell string occurs in FontManager.
If the developer allows the attacker to choose the font and outputs an image,
the attacker can execute any shell command on the remote system. The name
variable injected comes from the constructor of FontManager, which is invoked
by ImageFormatter from options (CVE-2015-8557, rhbz#1276321).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17331
• http://openwall.com/lists/oss-security/2015/12/14/6
• https://bugzilla.redhat.com/show_bug.cgi?id=1276321
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8557

SRPMS

5/core

• python-pygments-1.6-9.1.mga5