!13 [sync] PR-10: fix CVE-2021-20270 CVE-2021-27291

From: @openeuler-sync-bot
Reviewed-by: @small_leek
Signed-off-by: @small_leek

backport-CVE-2021-20270.patch

@@ -0,0 +1,57 @@
+From f91804ff4772e3ab41f46e28d370f57898700333 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <georg@python.org>
+Date: Thu, 10 Dec 2020 08:19:21 +0100
+Subject: [PATCH] fixes #1625: infinite loop in SML lexer
+
+https://github.com/pygments/pygments/commit/f91804ff4772e3ab41f46e28d370f57898700333
+
+Reason was a lookahead-only pattern which was included in the state
+where the lookahead was transitioning to.
+---
+ pygments/lexers/ml.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/pygments/lexers/ml.py b/pygments/lexers/ml.py
+index 461af88..b8d78f5 100644
+--- a/pygments/lexers/ml.py
++++ b/pygments/lexers/ml.py
+@@ -142,7 +142,7 @@ class SMLLexer(RegexLexer):
+             (r'#\s+(%s)' % symbolicid_re, Name.Label),
+             # Some reserved words trigger a special, local lexer state change
+             (r'\b(datatype|abstype)\b(?!\')', Keyword.Reserved, 'dname'),
+-            (r'(?=\b(exception)\b(?!\'))', Text, ('ename')),
++            (r'\b(exception)\b(?!\')', Keyword.Reserved, 'ename'),
+             (r'\b(functor|include|open|signature|structure)\b(?!\')',
+              Keyword.Reserved, 'sname'),
+             (r'\b(type|eqtype)\b(?!\')', Keyword.Reserved, 'tname'),
+@@ -315,15 +315,14 @@ class SMLLexer(RegexLexer):
+         'ename': [
+             include('whitespace'),
+ 
+-            (r'(exception|and)\b(\s+)(%s)' % alphanumid_re,
++            (r'(and\b)(\s+)(%s)' % alphanumid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+-            (r'(exception|and)\b(\s*)(%s)' % symbolicid_re,
++            (r'(and\b)(\s*)(%s)' % symbolicid_re,
+              bygroups(Keyword.Reserved, Text, Name.Class)),
+             (r'\b(of)\b(?!\')', Keyword.Reserved),
++            (r'(%s)|(%s)' % (alphanumid_re, symbolicid_re), Name.Class),
+ 
+-            include('breakout'),
+-            include('core'),
+-            (r'\S+', Error),
++            default('#pop'),
+         ],
+ 
+         'datcon': [
+@@ -446,6 +445,7 @@ class OcamlLexer(RegexLexer):
+     }
+ 
+ 
++
+ class OpaLexer(RegexLexer):
+     """
+     Lexer for the Opa language (http://opalang.org).
+-- 
+2.13.7
+

backport-CVE-2021-27291.patch

@@ -0,0 +1,143 @@
+From 2e7e8c4a7b318f4032493773732754e418279a14 Mon Sep 17 00:00:00 2001
+From: Georg Brandl <georg@python.org>
+Date: Mon, 11 Jan 2021 09:46:34 +0100
+Subject: [PATCH] Fix several exponential/cubic complexity regexes found by Ben
+ Caller/Doyensec
+
+https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
+
+---
+ pygments/lexers/archetype.py | 2 +-
+ pygments/lexers/factor.py    | 4 ++--
+ pygments/lexers/jvm.py       | 1 -
+ pygments/lexers/matlab.py    | 6 +++---
+ pygments/lexers/objective.py | 4 ++--
+ pygments/lexers/templates.py | 2 +-
+ pygments/lexers/varnish.py   | 2 +-
+ 7 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/pygments/lexers/archetype.py b/pygments/lexers/archetype.py
+index 68ec5c0..6c36b96 100644
+--- a/pygments/lexers/archetype.py
++++ b/pygments/lexers/archetype.py
+@@ -58,7 +58,7 @@ class AtomsLexer(RegexLexer):
+             (r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
+              r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
+             (r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
+-            (r'[+-]?(\d+)*\.\d+%?', Number.Float),
++            (r'[+-]?\d*\.\d+%?', Number.Float),
+             (r'0x[0-9a-fA-F]+', Number.Hex),
+             (r'[+-]?\d+%?', Number.Integer),
+         ],
+diff --git a/pygments/lexers/factor.py b/pygments/lexers/factor.py
+index 4aed8f6..d9e346e 100644
+--- a/pygments/lexers/factor.py
++++ b/pygments/lexers/factor.py
+@@ -265,7 +265,7 @@ class FactorLexer(RegexLexer):
+             (r'(?:<PRIVATE|PRIVATE>)\s', Keyword.Namespace),
+ 
+             # strings
+-            (r'"""\s+(?:.|\n)*?\s+"""', String),
++            (r'"""\s(?:.|\n)*?\s"""', String),
+             (r'"(?:\\\\|\\"|[^"])*"', String),
+             (r'\S+"\s+(?:\\\\|\\"|[^"])*"', String),
+             (r'CHAR:\s+(?:\\[\\abfnrstv]|[^\\]\S*)\s', String.Char),
+@@ -322,7 +322,7 @@ class FactorLexer(RegexLexer):
+         'slots': [
+             (r'\s+', Text),
+             (r';\s', Keyword, '#pop'),
+-            (r'(\{\s+)(\S+)(\s+[^}]+\s+\}\s)',
++            (r'(\{\s+)(\S+)(\s[^}]+\s\}\s)',
+              bygroups(Text, Name.Variable, Text)),
+             (r'\S+', Name.Variable),
+         ],
+diff --git a/pygments/lexers/jvm.py b/pygments/lexers/jvm.py
+index 5588b79..7f6d166 100644
+--- a/pygments/lexers/jvm.py
++++ b/pygments/lexers/jvm.py
+@@ -975,7 +975,6 @@ class CeylonLexer(RegexLexer):
+             (r'(import)(\s+)', bygroups(Keyword.Namespace, Text), 'import'),
+             (r'"(\\\\|\\"|[^"])*"', String),
+             (r"'\\.'|'[^\\]'|'\\\{#[0-9a-fA-F]{4}\}'", String.Char),
+-            (r'".*``.*``.*"', String.Interpol),
+             (r'(\.)([a-z_]\w*)',
+              bygroups(Operator, Name.Attribute)),
+             (r'[a-zA-Z_]\w*:', Name.Label),
+diff --git a/pygments/lexers/matlab.py b/pygments/lexers/matlab.py
+index 64dd3a3..d8fd77c 100644
+--- a/pygments/lexers/matlab.py
++++ b/pygments/lexers/matlab.py
+@@ -136,7 +136,7 @@ class MatlabLexer(RegexLexer):
+             (r'.', Comment.Multiline),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -613,7 +613,7 @@ class OctaveLexer(RegexLexer):
+             (r"[^']*'", String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+@@ -681,7 +681,7 @@ class ScilabLexer(RegexLexer):
+             (r'.', String, '#pop'),
+         ],
+         'deffunc': [
+-            (r'(\s*)(?:(.+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
++            (r'(\s*)(?:(\S+)(\s*)(=)(\s*))?(.+)(\()(.*)(\))(\s*)',
+              bygroups(Whitespace, Text, Whitespace, Punctuation,
+                       Whitespace, Name.Function, Punctuation, Text,
+                       Punctuation, Whitespace), '#pop'),
+diff --git a/pygments/lexers/objective.py b/pygments/lexers/objective.py
+index 777d8d4..19f9a54 100644
+--- a/pygments/lexers/objective.py
++++ b/pygments/lexers/objective.py
+@@ -261,11 +261,11 @@ class LogosLexer(ObjectiveCppLexer):
+              'logos_classname'),
+             (r'(%hook|%group)(\s+)([a-zA-Z$_][\w$]+)',
+              bygroups(Keyword, Text, Name.Class)),
+-            (r'(%config)(\s*\(\s*)(\w+)(\s*=\s*)(.*?)(\s*\)\s*)',
++            (r'(%config)(\s*\(\s*)(\w+)(\s*=)(.*?)(\)\s*)',
+              bygroups(Keyword, Text, Name.Variable, Text, String, Text)),
+             (r'(%ctor)(\s*)(\{)', bygroups(Keyword, Text, Punctuation),
+              'function'),
+-            (r'(%new)(\s*)(\()(\s*.*?\s*)(\))',
++            (r'(%new)(\s*)(\()(.*?)(\))',
+              bygroups(Keyword, Text, Keyword, String, Keyword)),
+             (r'(\s*)(%end)(\s*)', bygroups(Text, Keyword, Text)),
+             inherit,
+diff --git a/pygments/lexers/templates.py b/pygments/lexers/templates.py
+index f891242..d909662 100644
+--- a/pygments/lexers/templates.py
++++ b/pygments/lexers/templates.py
+@@ -1428,7 +1428,7 @@ class EvoqueLexer(RegexLexer):
+             # see doc for handling first name arg: /directives/evoque/
+             # + minor inconsistency: the "name" in e.g. $overlay{name=site_base}
+             # should be using(PythonLexer), not passed out as String
+-            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+[^=,%}]+?)?'
++            (r'(\$)(evoque|overlay)(\{(%)?)(\s*[#\w\-"\'.]+)?'
+              r'(.*?)((?(4)%)\})',
+              bygroups(Punctuation, Name.Builtin, Punctuation, None,
+                       String, using(PythonLexer), Punctuation)),
+diff --git a/pygments/lexers/varnish.py b/pygments/lexers/varnish.py
+index 4db74e3..b911985 100644
+--- a/pygments/lexers/varnish.py
++++ b/pygments/lexers/varnish.py
+@@ -61,7 +61,7 @@ class VCLLexer(RegexLexer):
+              bygroups(Name.Attribute, Operator, Name.Variable.Global, Punctuation)),
+             (r'(\.probe)(\s*=\s*)(\{)',
+              bygroups(Name.Attribute, Operator, Punctuation), 'probe'),
+-            (r'(\.\w+\b)(\s*=\s*)([^;]*)(\s*;)',
++            (r'(\.\w+\b)(\s*=\s*)([^;\s]*)(\s*;)',
+              bygroups(Name.Attribute, Operator, using(this), Punctuation)),
+             (r'\{', Punctuation, '#push'),
+             (r'\}', Punctuation, '#pop'),
+-- 
+2.13.7
+

python-pygments.spec

@@ -16,12 +16,15 @@ need to prettify source code. Highlights are: \
 Name:           python-pygments
 Summary:        Syntax highlighting engine written in Python
 Version:        2.5.2
-Release:        2
+Release:        3
 License:        BSD
 URL:            http://pygments.org/
 Source0:        https://pypi.org/packages/source/P/Pygments/Pygments-%{version}.tar.gz
 BuildArch:      noarch
 
+Patch6000:      backport-CVE-2021-20270.patch
+Patch6001:      backport-CVE-2021-27291.patch
+
 %description
 %{_description}
 
@@ -81,6 +84,9 @@ cp -r doc/docs doc/reST
 %lang(en) %{_mandir}/man1/pygmentize.1*
 
 %changelog
+* Mon Apr 12 2021 shixuantong<shixuantong@huawei.com> - 2.5.2-3
+- fix CVE-2021-20270 CVE-2021-27291
+
 * Sat Dec 05 2020 shixuantong<shixuantong@huawei.com> - 2.5.2-2
 - use pytest to run test suite