CVE-2015-8557
published 2016-01-08CVE-2015-8557: The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via…
PriorityP264critical9CVSS 3.0
AVNACHPRNUINSCCHIHAH
EPSS
6.66%
93.1th percentile
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | pygments | < pygments 2.0.1+dfsg-2 (bookworm) | pygments 2.0.1+dfsg-2 (bookworm) |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | — | — |
| pygments | pygments | >= 0 < 2.0.1+dfsg-2 | 2.0.1+dfsg-2 |
| pygments | pygments | >= 0 < 2.0.1+dfsg-2 | 2.0.1+dfsg-2 |
| pygments | pygments | >= 0 < 2.0.1+dfsg-2 | 2.0.1+dfsg-2 |
| pygments | pygments | >= 0 < 2.0.1+dfsg-2 | 2.0.1+dfsg-2 |
| pygments | pygments | >= 1.2.2 < 2.1 | 2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Shell injection via unsanitized font name passed to getstatusoutput(); monitor for shell metacharacters (e.g. `;`, `|`, `$()`, backticks) in font name arguments supplied to Pygments ImageFormatter. ↗
- →Monitor for unexpected child processes spawned by fc-list (e.g. via getstatusoutput) that include shell metacharacters or additional commands in their argument list, indicating exploitation of the font name injection. ↗
- →Exploitation requires use of Pygments image formatters with attacker-controlled font name input; triage any application exposing Pygments ImageFormatter options to untrusted users. ↗
- ·Vulnerability only triggers on NIX systems where the image formatter code path is reachable and the attacker can control the font name option passed to ImageFormatter. ↗
- ·Affected Pygments versions are 1.2.2 through 2.0.2; the fix was introduced in patched builds (e.g. 2.0.1+dfsg-2 on Debian, 2.0.2-3 on Fedora). ↗
CVSS provenance
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.0CRITICAL
vendor_debian9.0CRITICAL
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Command Injection in Pygments
osv·2022-05-17
CVE-2015-8557 [CRITICAL] Command Injection in Pygments
Command Injection in Pygments
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
GHSA
Command Injection in Pygments
ghsa·2022-05-17
CVE-2015-8557 [CRITICAL] CWE-78 Command Injection in Pygments
Command Injection in Pygments
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
OSV
CVE-2015-8557: The FontManager
osv·2016-01-08·CVSS 9.0
CVE-2015-8557 [CRITICAL] CVE-2015-8557: The FontManager
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Ubuntu
Pygments vulnerability
vendor_ubuntu·2016-01-07
CVE-2015-8557 Pygments vulnerability
Title: Pygments vulnerability
Summary: Pygments could be made to crash or run programs if it processed a specially
crafted font request.
It was discovered that Pygments incorrectly sanitized strings used to
search system fonts. An attacker could possibly use this issue to execute
arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-pygments: Shell injection in FontManager._get_nix_font_path
vendor_redhat·2015-09-28·CVSS 9.0
CVE-2015-8557 [CRITICAL] CWE-77 python-pygments: Shell injection in FontManager._get_nix_font_path
python-pygments: Shell injection in FontManager._get_nix_font_path
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Package: python-pygments (Red Hat Ceph Storage 1.2) - Will not fix
Package: python-pygments (Red Hat Enterprise Linux 6) - Will not fix
Package: python-pygments (Red Hat Enterprise Linux 7) - Will not fix
Package: python-pygments (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Will not fix
Package: python-pygments (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Will not fix
Package: python-pygments (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Will not fix
Package: python27-python-pygments (Red
Debian
CVE-2015-8557: pygments - The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2...
vendor_debian·2015·CVSS 9.0
CVE-2015-8557 [CRITICAL] CVE-2015-8557: pygments - The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2...
The FontManager._get_nix_font_path function in formatters/img.py in Pygments 1.2.2 through 2.0.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a font name.
Scope: local
bookworm: resolved (fixed in 2.0.1+dfsg-2)
bullseye: resolved (fixed in 2.0.1+dfsg-2)
forky: resolved (fixed in 2.0.1+dfsg-2)
sid: resolved (fixed in 2.0.1+dfsg-2)
trixie: resolved (fixed in 2.0.1+dfsg-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
bugzilla·2015-10-29·CVSS 9.0
CVE-2015-8557 [CRITICAL] CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path
An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.
Vulnerable code:
def _get_nix_font_path(self, name, style):
try:
from commands import getstatusoutput
except ImportError:
from subprocess import getstatusoutput
exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
(name, style))
if not exit:
lines = out.splitlines()
if lines:
path = lines[0].strip().strip(':')
return path
Upstream patch:
https://bitbucket.org/birke
Bugzilla
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path [fedora-all]
bugzilla·2015-10-29·CVSS 9.0
CVE-2015-8557 [CRITICAL] CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path [fedora-all]
CVE-2015-8557 python-pygments: Shell injection in FontManager._get_nix_font_path [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
http://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/4http://www.debian.org/security/2016/dsa-3445http://www.openwall.com/lists/oss-security/2015/12/14/17http://www.openwall.com/lists/oss-security/2015/12/14/6http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.ubuntu.com/usn/USN-2862-1https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diffhttps://security.gentoo.org/glsa/201612-05http://packetstormsecurity.com/files/133823/Pygments-FontManager._get_nix_font_path-Shell-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Oct/4http://www.debian.org/security/2016/dsa-3445http://www.openwall.com/lists/oss-security/2015/12/14/17http://www.openwall.com/lists/oss-security/2015/12/14/6http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.ubuntu.com/usn/USN-2862-1https://bitbucket.org/birkenfeld/pygments-main/pull-requests/501/fix-shell-injection-in/diffhttps://security.gentoo.org/glsa/201612-05
2016-01-08
Published