!45 [sync] PR-44: fix CVE-2022-40896

From: @openeuler-sync-bot Reviewed-by: @licihua Signed-off-by: @licihua
2023-07-31 03:41:52 +00:00 · 2023-07-31 03:41:52 +00:00 · 9a46e0c3b5
commit 9a46e0c3b5
parent 2286ce7e18 c2f666762a
2 changed files with 128 additions and 1 deletions
--- a/backport-CVE-2022-40896.patch
+++ b/backport-CVE-2022-40896.patch
@ -0,0 +1,119 @@
+From dd52102c38ebe78cd57748e09f38929fd283ad04 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matth=C3=A4us=20G=2E=20Chajdas?= <dev@anteru.net>
+Date: Sat, 31 Dec 2022 16:29:56 +0100
+Subject: [PATCH] Improve the Smithy metadata matcher.
+
+Previously, metadata foo bar baz = 23 was accepted, but according to
+the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection
+it should be "metadata"<whitespace>Identifier/String<optional whitespace>.
+---
+ pygments/lexers/smithy.py                    |  5 +-
+ tests/examplefiles/smithy/test.smithy        | 12 +++++
+ tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+
+diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py
+index 5f2f76cd..69b576e4 100644
+--- a/pygments/lexers/smithy.py
+++ b/pygments/lexers/smithy.py
+@@ -56,8 +56,9 @@ class SmithyLexer(RegexLexer):
+             (words(aggregate_shapes,
+                    prefix=r'^', suffix=r'(\s+' + identifier + r')'),
+                 bygroups(Keyword.Declaration, Name.Class)),
+-            (r'^(metadata)(\s+.+)(\s*)(=)',
+-                bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)),
+            (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)',
+                bygroups(Keyword.Declaration, Whitespace, Name.Class,
+                         Whitespace, Name.Decorator)),
+             (r"(true|false|null)", Keyword.Constant),
+             (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number),
+             (identifier + ":", Name.Label),
+diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy
+index 3d20f064..9317fee9 100644
+--- a/tests/examplefiles/smithy/test.smithy
+++ b/tests/examplefiles/smithy/test.smithy
+@@ -2,6 +2,18 @@ $version: "1.0"
+ 
+ namespace test
+ 
+metadata "foo" = ["bar", "baz"]
+metadata validators = [
+    {
+        name: "ValidatorName"
+        id: "ValidatorId"
+        message: "Some string"
+        configuration: {
+            selector: "operation"
+        }
+    }
+]
+
+ /// Define how an HTTP request is serialized given a specific protocol,
+ /// authentication scheme, and set of input parameters.
+ @trait(selector: "operation")
+diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output
+index 1f224897..db44a381 100644
+--- a/tests/examplefiles/smithy/test.smithy.output
+++ b/tests/examplefiles/smithy/test.smithy.output
+@@ -7,6 +7,58 @@
+ ' test'       Name.Class
+ '\n\n'        Text.Whitespace
+ 
+'metadata'    Keyword.Declaration
+' '           Text.Whitespace
+'"foo"'       Name.Class
+' '           Text.Whitespace
+'='           Name.Decorator
+' '           Text.Whitespace
+'['           Text
+'"bar"'       Literal.String.Double
+','           Punctuation
+' '           Text.Whitespace
+'"baz"'       Literal.String.Double
+']'           Text
+'\n'          Text.Whitespace
+
+'metadata'    Keyword.Declaration
+' '           Text.Whitespace
+'validators'  Name.Class
+' '           Text.Whitespace
+'='           Name.Decorator
+' '           Text.Whitespace
+'['           Text
+'\n    '      Text.Whitespace
+'{'           Text
+'\n        '  Text.Whitespace
+'name:'       Name.Label
+' '           Text.Whitespace
+'"ValidatorName"' Literal.String.Double
+'\n        '  Text.Whitespace
+'id:'         Name.Label
+' '           Text.Whitespace
+'"ValidatorId"' Literal.String.Double
+'\n        '  Text.Whitespace
+'message:'    Name.Label
+' '           Text.Whitespace
+'"Some string"' Literal.String.Double
+'\n        '  Text.Whitespace
+'configuration:' Name.Label
+' '           Text.Whitespace
+'{'           Text
+'\n            ' Text.Whitespace
+'selector:'   Name.Label
+' '           Text.Whitespace
+'"operation"' Literal.String.Double
+'\n        '  Text.Whitespace
+'}'           Text
+'\n    '      Text.Whitespace
+'}'           Text
+'\n'          Text.Whitespace
+
+']'           Text
+'\n\n'        Text.Whitespace
+
+ '/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline
+ '\n'          Text.Whitespace
+ 
+-- 
+2.39.1
+
--- a/python-pygments.spec
+++ b/python-pygments.spec
@ -17,7 +17,7 @@ need to prettify source code. Highlights are: \
 Name:           python-pygments
 Summary:        Syntax highlighting engine written in Python
 Version:        2.10.0
-Release:        3
+Release:        4
 License:        BSD
 URL:            http://pygments.org/
 Source0:        https://pypi.org/packages/source/P/Pygments/Pygments-%{version}.tar.gz
@ -25,6 +25,8 @@ Source0:        https://pypi.org/packages/source/P/Pygments/Pygments-%{version}.
 Patch0:         0001-fixed-typo.patch
 Patch1:         0001-Fix-do-concurrent-and-go-to-keywords-in-the-Fortran-.patch

+Patch6000:      backport-CVE-2022-40896.patch
+
 BuildArch:      noarch

 %description
@ -81,6 +83,12 @@ make test
 %endif

 %changelog
+* Wed Jul 26 2023 zhuofeng <zhuofeng2@huawei.com> - 2.10.0-4
+- Type:CVE
+- CVE:CVE-2022-40896
+- SUG:NA
+- DESC:fix CVE-2022-40896
+
 * Wed Jan 18 2023 caofei <caofei@xfusion.com> -  2.10.0-3
 - Fix "do concurrent" and "go to" keywords in the Fortran