Page MenuHomePhabricator
Create Task
Maniphest T276843

Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 and CVE-2021-27291
Closed, ResolvedPublicSecurity
Actions

Assigned To
Legoktm
Authored By
Legoktm
Mar 8 2021, 5:22 PM
Tags
Referenced Files
F34180145: 0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch
Mar 23 2021, 1:56 AM
F34150046: 0001-SECURITY-Disable-sml-because-of-infinite-loop-DoS-CV.patch
Mar 10 2021, 6:27 PM
Subscribers
Aklapper
gerritbot
Legoktm
MoritzMuehlenhoff
Reedy
sbassett

Description

See https://github.com/pygments/pygments/issues/1625 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20270

Probably we should just update both to 2.7.4. We just updated master to 2.8.0, so it's not vulnerable.

References for CVE-2021-27291:
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Details

SubjectRepoBranchLines +/-
SECURITY: Disable various lexers because of DoS attacksmediawiki/extensions/SyntaxHighlight_GeSHiREL1_31+23 -13
Update pygments to 2.7.4mediawiki/extensions/SyntaxHighlight_GeSHiREL1_35+42 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Mar 8 2021, 5:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 8 2021, 5:22 PM
Legoktm added projects: Vuln-DoS, SyntaxHighlight.Mar 8 2021, 5:23 PM
Legoktm updated the task description. (Show Details)
MoritzMuehlenhoff subscribed.Mar 8 2021, 5:32 PM
Reedy added a parent task: T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 8 2021, 5:58 PM
Legoktm added a comment.Mar 8 2021, 6:40 PM

Given that REL1_31 is on such an old version I think we could just disable sml rather than risk a bunch of potentially breaking changes.

It it's OK with the security team I think we should do the REL1_35 version bump in Gerrit since binary patch files are pretty annoying.

sbassett added subscribers: Reedy, sbassett.EditedMar 8 2021, 6:45 PM
In T276843#6893660, @Legoktm wrote:

Given that REL1_31 is on such an old version I think we could just disable sml rather than risk a bunch of potentially breaking changes.

Probably the lowest risk option if it won't degrade any functionality.

It it's OK with the security team I think we should do the REL1_35 version bump in Gerrit since binary patch files are pretty annoying.

I'd rate this low risk if we can get it merged prior to the upcoming security release, unless @Reedy has other concerns.

Reedy added a comment.Mar 8 2021, 7:01 PM
In T276843#6893688, @sbassett wrote:

It it's OK with the security team I think we should do the REL1_35 version bump in Gerrit since binary patch files are pretty annoying.

I'd rate this low risk if we can get it merged prior to the upcoming security release, unless @Reedy has other concerns.

Indeed. The upstream task is public, it has a CVE attached, so it's obvious there's a security component to the bug, and basically a simple replication criteria in the task too.

Therefore pushing fixes in public (to the extension/branches) for dealing with it does highlight the issue a bit, but I don't think it's a major concern. Fix should be released more formally in the next couple of weeks anyway for T270458: Release MediaWiki 1.31.13/1.35.2

Legoktm added a project: Patch-For-Review.Mar 10 2021, 6:27 PM

REL1_31:

0001-SECURITY-Disable-sml-because-of-infinite-loop-DoS-CV.patch902 BDownload

REL1_35: https://gerrit.wikimedia.org/r/670552

sbassett added a comment.Mar 10 2021, 7:04 PM

So for REL1_35, 2.7.4 is the minimum safe version to address the sml CVE? Just wondering if there was any other reason not to bump to 2.8.0 like master.

Legoktm added a comment.Mar 10 2021, 9:50 PM
In T276843#6902032, @sbassett wrote:

So for REL1_35, 2.7.4 is the minimum safe version to address the sml CVE? Just wondering if there was any other reason not to bump to 2.8.0 like master.

Yes. Mostly just to minimize the amount of changes in a stable branch. Based on https://pygments.org/docs/changelog/#version-2-8-0 it looks like upstream did a lot of internal refactoring in this release, and we really haven't run it in production for that long yet. They also just released 2.8.1 a few days ago so... I think 2.7.4 is just the more conservative option.

sbassett triaged this task as Low priority.Mar 15 2021, 3:06 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Mar 15 2021, 4:17 PM
sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review.
Jdforrester-WMF added projects: MW-1.36-notes (1.36.0-wmf.32; 2021-02-23), MW-1.35-notes.Mar 15 2021, 5:07 PM
MoritzMuehlenhoff added a comment.Mar 22 2021, 10:48 AM

There's a second CVE ID for pygments: CVE-2021-27291
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce and fixed via https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Fortunately it's also fixed via 2.7.4.

MoritzMuehlenhoff renamed this task from Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 to Bundled pygments in REL1_31 / REL1_35 vulnerable to CVE-2021-20270 and CVE-2021-27291.Mar 22 2021, 10:49 AM
MoritzMuehlenhoff updated the task description. (Show Details)
Legoktm added a comment.Mar 23 2021, 1:56 AM

Ack. Here's a new patch that also disables those vulnerable lexers

0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch2 KBDownload

Reedy mentioned this in T270459: Tracking bug for MediaWiki 1.31.13/1.35.2.Mar 30 2021, 12:40 AM
Reedy added a comment.Mar 30 2021, 12:56 AM
In T276843#6936825, @Legoktm wrote:

Ack. Here's a new patch that also disables those vulnerable lexers

0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch2 KBDownload

Is that just for REL1_31?

Reedy assigned this task to Legoktm.Mar 30 2021, 1:07 AM
Legoktm added a comment.Mar 30 2021, 3:57 AM
In T276843#6954474, @Reedy wrote:
In T276843#6936825, @Legoktm wrote:

Ack. Here's a new patch that also disables those vulnerable lexers

0001-SECURITY-Disable-various-lexers-because-of-DoS-attac.patch2 KBDownload

Is that just for REL1_31?

Yes. https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SyntaxHighlight_GeSHi/+/670552 is the fix for REL1_35

Reedy closed this task as Resolved.Apr 5 2021, 12:22 AM
Reedy added a subscriber: gerritbot.Apr 8 2021, 7:11 PM
gerritbot added a comment.Apr 8 2021, 7:36 PM

Change 678024 had a related patch set uploaded (by Reedy; author: Legoktm):

[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_31] SECURITY: Disable various lexers because of DoS attacks

https://gerrit.wikimedia.org/r/678024

gerritbot added a project: Patch-For-Review.Apr 8 2021, 7:36 PM
gerritbot added a comment.Apr 8 2021, 7:48 PM

Change 678024 merged by jenkins-bot:

[mediawiki/extensions/SyntaxHighlight_GeSHi@REL1_31] SECURITY: Disable various lexers because of DoS attacks

https://gerrit.wikimedia.org/r/678024

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 8 2021, 9:09 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits