2 files changed, 126 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
new file mode 100644
index 0000000000..9848072a94
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
@@ -0,0 +1,124 @@
+From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001
+From: Narpat Mali <narpat.mali@windriver.com>
+Date: Wed, 6 Sep 2023 10:32:38 +0000
+Subject: [PATCH] Improve the Smithy metadata matcher.
+Previously, metadata foo bar baz = 23 was accepted, but according to
+the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection
+it should be "metadata"<whitespace>Identifier/String<optional whitespace>.
+CVE: CVE-2022-40896
+Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ pygments/lexers/smithy.py                    |  5 +-
+ tests/examplefiles/smithy/test.smithy        | 12 +++++
+ tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py
+index 0f0a912..c5e25cd 100644
+--- a/pygments/lexers/smithy.py
+++ b/pygments/lexers/smithy.py
+@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer):
+             (words(aggregate_shapes,
+                    prefix=r'^', suffix=r'(\s+' + identifier + r')'),
+                 bygroups(Keyword.Declaration, Name.Class)),
+-            (r'^(metadata)(\s+.+)(\s*)(=)',
+-                bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)),
+            (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)',
+                bygroups(Keyword.Declaration, Whitespace, Name.Class,
+                         Whitespace, Name.Decorator)),
+             (r"(true|false|null)", Keyword.Constant),
+             (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number),
+             (identifier + ":", Name.Label),
+diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy
+index 3d20f06..9317fee 100644
+--- a/tests/examplefiles/smithy/test.smithy
+++ b/tests/examplefiles/smithy/test.smithy
+@@ -2,6 +2,18 @@ $version: "1.0"
+ namespace test
+metadata "foo" = ["bar", "baz"]
+metadata validators = [
+    {
+        name: "ValidatorName"
+        id: "ValidatorId"
+        message: "Some string"
+        configuration: {
+            selector: "operation"
+        }
+    }
+]
+
+ /// Define how an HTTP request is serialized given a specific protocol,
+ /// authentication scheme, and set of input parameters.
+ @trait(selector: "operation")
+diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output
+index 1f22489..db44a38 100644
+--- a/tests/examplefiles/smithy/test.smithy.output
+++ b/tests/examplefiles/smithy/test.smithy.output
+@@ -7,6 +7,58 @@
+ ' test'       Name.Class
+ '\n\n'        Text.Whitespace
+'metadata'    Keyword.Declaration
+' '           Text.Whitespace
+'"foo"'       Name.Class
+' '           Text.Whitespace
+'='           Name.Decorator
+' '           Text.Whitespace
+'['           Text
+'"bar"'       Literal.String.Double
+','           Punctuation
+' '           Text.Whitespace
+'"baz"'       Literal.String.Double
+']'           Text
+'\n'          Text.Whitespace
+
+'metadata'    Keyword.Declaration
+' '           Text.Whitespace
+'validators'  Name.Class
+' '           Text.Whitespace
+'='           Name.Decorator
+' '           Text.Whitespace
+'['           Text
+'\n    '      Text.Whitespace
+'{'           Text
+'\n        '  Text.Whitespace
+'name:'       Name.Label
+' '           Text.Whitespace
+'"ValidatorName"' Literal.String.Double
+'\n        '  Text.Whitespace
+'id:'         Name.Label
+' '           Text.Whitespace
+'"ValidatorId"' Literal.String.Double
+'\n        '  Text.Whitespace
+'message:'    Name.Label
+' '           Text.Whitespace
+'"Some string"' Literal.String.Double
+'\n        '  Text.Whitespace
+'configuration:' Name.Label
+' '           Text.Whitespace
+'{'           Text
+'\n            ' Text.Whitespace
+'selector:'   Name.Label
+' '           Text.Whitespace
+'"operation"' Literal.String.Double
+'\n        '  Text.Whitespace
+'}'           Text
+'\n    '      Text.Whitespace
+'}'           Text
+'\n'          Text.Whitespace
+
+']'           Text
+'\n\n'        Text.Whitespace
+
+ '/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline
+ '\n'          Text.Whitespace
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb
index 35d288c89e..6e787f23d2 100644
--- a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb
+++ b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc"
 inherit setuptools3
 SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"
+SRC_URI += "file://CVE-2022-40896.patch"
 DEPENDS += "\
            ${PYTHON_PN} \
            "

diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch new file mode 100644 index 0000000000..9848072a94 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
@@ -0,0 +1,124 @@
		1	From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001
		2	From: Narpat Mali <narpat.mali@windriver.com>
		3	Date: Wed, 6 Sep 2023 10:32:38 +0000
		4	Subject: [PATCH] Improve the Smithy metadata matcher.
		5
		6	Previously, metadata foo bar baz = 23 was accepted, but according to
		7	the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection
		8	it should be "metadata"<whitespace>Identifier/String<optional whitespace>.
		9
		10	CVE: CVE-2022-40896
		11
		12	Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04]
		13
		14	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		15	---
		16	pygments/lexers/smithy.py \| 5 +-
		17	tests/examplefiles/smithy/test.smithy \| 12 +++++
		18	tests/examplefiles/smithy/test.smithy.output \| 52 ++++++++++++++++++++
		19	3 files changed, 67 insertions(+), 2 deletions(-)
		20
		21	diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py
		22	index 0f0a912..c5e25cd 100644
		23	--- a/pygments/lexers/smithy.py
		24	+++ b/pygments/lexers/smithy.py
		25	@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer):
		26	(words(aggregate_shapes,
		27	prefix=r'^', suffix=r'(\s+' + identifier + r')'),
		28	bygroups(Keyword.Declaration, Name.Class)),
		29	- (r'^(metadata)(\s+.+)(\s*)(=)',
		30	- bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)),
		31	+ (r'^(metadata)(\s+)((?:\S+)\|(?:\"[^"]+\"))(\s*)(=)',
		32	+ bygroups(Keyword.Declaration, Whitespace, Name.Class,
		33	+ Whitespace, Name.Decorator)),
		34	(r"(true\|false\|null)", Keyword.Constant),
		35	(r"(-?(?:0\|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number),
		36	(identifier + ":", Name.Label),
		37	diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy
		38	index 3d20f06..9317fee 100644
		39	--- a/tests/examplefiles/smithy/test.smithy
		40	+++ b/tests/examplefiles/smithy/test.smithy
		41	@@ -2,6 +2,18 @@ $version: "1.0"
		42
		43	namespace test
		44
		45	+metadata "foo" = ["bar", "baz"]
		46	+metadata validators = [
		47	+ {
		48	+ name: "ValidatorName"
		49	+ id: "ValidatorId"
		50	+ message: "Some string"
		51	+ configuration: {
		52	+ selector: "operation"
		53	+ }
		54	+ }
		55	+]
		56	+
		57	/// Define how an HTTP request is serialized given a specific protocol,
		58	/// authentication scheme, and set of input parameters.
		59	@trait(selector: "operation")
		60	diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output
		61	index 1f22489..db44a38 100644
		62	--- a/tests/examplefiles/smithy/test.smithy.output
		63	+++ b/tests/examplefiles/smithy/test.smithy.output
		64	@@ -7,6 +7,58 @@
		65	' test' Name.Class
		66	'\n\n' Text.Whitespace
		67
		68	+'metadata' Keyword.Declaration
		69	+' ' Text.Whitespace
		70	+'"foo"' Name.Class
		71	+' ' Text.Whitespace
		72	+'=' Name.Decorator
		73	+' ' Text.Whitespace
		74	+'[' Text
		75	+'"bar"' Literal.String.Double
		76	+',' Punctuation
		77	+' ' Text.Whitespace
		78	+'"baz"' Literal.String.Double
		79	+']' Text
		80	+'\n' Text.Whitespace
		81	+
		82	+'metadata' Keyword.Declaration
		83	+' ' Text.Whitespace
		84	+'validators' Name.Class
		85	+' ' Text.Whitespace
		86	+'=' Name.Decorator
		87	+' ' Text.Whitespace
		88	+'[' Text
		89	+'\n ' Text.Whitespace
		90	+'{' Text
		91	+'\n ' Text.Whitespace
		92	+'name:' Name.Label
		93	+' ' Text.Whitespace
		94	+'"ValidatorName"' Literal.String.Double
		95	+'\n ' Text.Whitespace
		96	+'id:' Name.Label
		97	+' ' Text.Whitespace
		98	+'"ValidatorId"' Literal.String.Double
		99	+'\n ' Text.Whitespace
		100	+'message:' Name.Label
		101	+' ' Text.Whitespace
		102	+'"Some string"' Literal.String.Double
		103	+'\n ' Text.Whitespace
		104	+'configuration:' Name.Label
		105	+' ' Text.Whitespace
		106	+'{' Text
		107	+'\n ' Text.Whitespace
		108	+'selector:' Name.Label
		109	+' ' Text.Whitespace
		110	+'"operation"' Literal.String.Double
		111	+'\n ' Text.Whitespace
		112	+'}' Text
		113	+'\n ' Text.Whitespace
		114	+'}' Text
		115	+'\n' Text.Whitespace
		116	+
		117	+']' Text
		118	+'\n\n' Text.Whitespace
		119	+
		120	'/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline
		121	'\n' Text.Whitespace
		122
		123	--
		124	2.40.0


diff --git a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb index 35d288c89e..6e787f23d2 100644 --- a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb +++ b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc"
7	inherit setuptools3	7	inherit setuptools3
8	SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"	8	SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a"
9		9
		10	SRC_URI += "file://CVE-2022-40896.patch"
		11
10	DEPENDS += "\	12	DEPENDS += "\
11	${PYTHON_PN} \	13	${PYTHON_PN} \
12	"	14	"