CVE-2021-20270

NameCVE-2021-20270
DescriptionAn infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2590-1, DLA-2648-1, DSA-4870-1, DSA-4889-1, ELA-377-1
Debian Bugs984664

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mediawiki (PTS)stretch (security)1:1.27.7-1+deb9u11fixed
stretch (lts), stretch1:1.27.7-1+deb9u13fixed
buster (security), buster, buster (lts)1:1.31.16-1+deb10u8fixed
bullseye1:1.35.13-1+deb11u2fixed
bullseye (security)1:1.35.13-1+deb11u3fixed
bookworm (security), bookworm1:1.39.10-1~deb12u1fixed
sid, trixie1:1.39.10-1fixed
pygments (PTS)jessie, jessie (lts)2.0.1+dfsg-1.1+deb8u3fixed
stretch (security), stretch (lts), stretch2.2.0+dfsg-1+deb9u2fixed
buster (security), buster, buster (lts)2.3.1+dfsg-1+deb10u2fixed
bullseye2.7.1+dfsg-2.1fixed
bookworm2.14.0+dfsg-1fixed
sid, trixie2.18.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mediawikisourcestretch1:1.27.7-1~deb9u8DLA-2648-1
mediawikisourcebuster1:1.31.14-1~deb10u1DSA-4889-1
mediawikisource(unstable)1:1.35.2-1
pygmentssourcejessie2.0.1+dfsg-1.1+deb8u2ELA-377-1
pygmentssourcestretch2.2.0+dfsg-1+deb9u1DLA-2590-1
pygmentssourcebuster2.3.1+dfsg-1+deb10u1DSA-4870-1
pygmentssource(unstable)2.7.1+dfsg-2984664

Notes

https://github.com/pygments/pygments/issues/1625
https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333

Search for package or bug name: Reporting problems