From 77c394877f06aa34a90863e93055d689aa1b1f9e Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 28 Jun 2016 11:57:15 +0000
Subject: main/py-pygments: security fix for CVE-2015-8557

fixes #5815
---
 main/py-pygments/APKBUILD            | 19 ++++++++++++++-----
 main/py-pygments/CVE-2015-8557.patch | 29 +++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 5 deletions(-)
 create mode 100644 main/py-pygments/CVE-2015-8557.patch

(limited to 'main/py-pygments')

diff --git a/main/py-pygments/APKBUILD b/main/py-pygments/APKBUILD
index 056f824f30..c116fa6ebc 100644
--- a/main/py-pygments/APKBUILD
+++ b/main/py-pygments/APKBUILD
@@ -12,13 +12,19 @@ depends="python py-setuptools"
 makedepends=""
 install=""
 subpackages="$pkgname-doc"
-source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+	CVE-2015-8557.patch
+	"
 
 _builddir="$srcdir"/$_pkgname-$pkgver
 
 prepare() {
 	cd "$_builddir"
-	# apply patches here
+	for i in $source; do
+		case "$i" in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
 }
 
 build() {
@@ -57,6 +63,9 @@ doc() {
 	default_doc
 }
 
-md5sums="238587a1370d62405edabd0794b3ec4a  Pygments-2.0.2.tar.gz"
-sha256sums="7320919084e6dac8f4540638a46447a3bd730fca172afc17d2c03eed22cf4f51  Pygments-2.0.2.tar.gz"
-sha512sums="b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e  Pygments-2.0.2.tar.gz"
+md5sums="238587a1370d62405edabd0794b3ec4a  Pygments-2.0.2.tar.gz
+3e5190427dd4ac1a52f27c1f7d1b1d90  CVE-2015-8557.patch"
+sha256sums="7320919084e6dac8f4540638a46447a3bd730fca172afc17d2c03eed22cf4f51  Pygments-2.0.2.tar.gz
+c56bc3b911ece2d79bb1b7dd4d952d0139216161a0f7f95ff6143daccd24daf6  CVE-2015-8557.patch"
+sha512sums="b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e  Pygments-2.0.2.tar.gz
+14d0fe27195cae53dd6b998fd05c32938078bf4de0845ce388b22729e5633e5f810b738ce672de0d023099b54ac7ca44ab4273d46313e2e30138a2fb023e5add  CVE-2015-8557.patch"
diff --git a/main/py-pygments/CVE-2015-8557.patch b/main/py-pygments/CVE-2015-8557.patch
new file mode 100644
index 0000000000..0a23adce33
--- /dev/null
+++ b/main/py-pygments/CVE-2015-8557.patch
@@ -0,0 +1,29 @@
+# HG changeset patch
+# User Javantea <jvoss@altsci.com>
+# Date 1443460403 25200
+# Node ID 6b4baae517b6aaff7142e66f1dbadf7b9b871f61
+# Parent  655dbebddc23943b8047b3c139c51c22ef18fd91
+Fix Shell Injection in FontManager._get_nix_font_path
+
+diff --git a/pygments/formatters/img.py b/pygments/formatters/img.py
+--- a/pygments/formatters/img.py
++++ b/pygments/formatters/img.py
+@@ -10,6 +10,7 @@
+ """
+ 
+ import sys
++import shlex
+ 
+ from pygments.formatter import Formatter
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+@@ -79,8 +80,8 @@
+             from commands import getstatusoutput
+         except ImportError:
+             from subprocess import getstatusoutput
+-        exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+-                                    (name, style))
++        exit, out = getstatusoutput('fc-list %s file' % 
++                                    shlex.quote("%s:style=%s" % (name, style)))
+         if not exit:
+             lines = out.splitlines()
+             if lines:
-- 
cgit v1.2.3