[20.09] python3Packages.pygments: add patch for CVE-2021-27291

[risicle]

Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2021-27291

I'm quite confident in patching this:

• the changes are entirely changes to regexes, in files which have largely been untouched in 4 years and likely have a fairly stable internal interface.
• I've built it successfully with the tests enabled on linux x86_64 and macos 10.14 (I'll do another PR with some hackery to allow us to enable the pygments tests permanently)

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[mweinelt]

We should probably add knownVulnerabilities to python2Packages.pygments (pkgs/development/python-modules/pygments/2_5.nix.

Everything else lgtm.

[risicle]

Hold on I got so caught up in the whole pytest cycle thing I completely forgot about 2.5.x.. sure enough, the patch works fine there too and the tests pass. Will push another commit.

[mweinelt]

Except python2Packages.pygments would need to go to master first and then be cherry-picked from there. Meh.

[risicle]

Ah yes I'll yank it from here and do that.

[risicle]

Sigh. And this looks staging-bound too.

[r-rmcgibbo]

Result of nixpkgs-review pr 117810 at a5ed349 run on x86_64-linux 1

563 packages marked as broken and skipped:

• Literate
• adobe-reader
• agdaPackages.iowa-stdlib
• aldor
• aliceml
• alliance
• amsn
• appleseed
• arora
• autotrace
• ...

18673 packages skipped due to time constraints:

• AusweisApp2
• DisnixWebService
• EmptyEpsilon
• Fabric
• MMA
• OVMF
• OVMF-CSM
• OVMF-secureBoot
• R
• SDL
• ...

105 packages built successfully:

• desktop-file-utils
• fontconfig
• gd
• glib (gnome2.glib ,gnome3.glib)
• gtk-doc (gnome2.gtkdoc)
• gnome2.libIDL
• gts
• libva-minimal
• python37Packages.Babel
• python37Packages.alabaster
• python37Packages.apipkg
• python37Packages.async_generator
• python37Packages.click
• python37Packages.execnet
• python37Packages.flake8
• python37Packages.flaky
• python37Packages.freezegun
• python37Packages.gunicorn
• python37Packages.iso8601
• python37Packages.jdcal
• python37Packages.jinja2
• python37Packages.jsonpickle
• python37Packages.junit-xml
• python37Packages.mccabe
• python37Packages.psutil
• python37Packages.py-cpuinfo
• python37Packages.pygments
• python37Packages.pytest (python37Packages.pytest_5)
• python37Packages.pytest-asyncio
• python37Packages.pytest-benchmark
• python37Packages.pytest-expect
• python37Packages.pytest-flake8
• python37Packages.pytest-forked
• python37Packages.pytest-mock
• python37Packages.pytest-relaxed
• python37Packages.pytestCheckHook
• python37Packages.pytest_xdist (python37Packages.pytest_xdist_1)
• python37Packages.pytestcov
• python37Packages.pytestrunner
• python37Packages.simplejson
• python37Packages.webencodings
• python38Packages.Babel
• python38Packages.alabaster
• python38Packages.apipkg
• python38Packages.async_generator
• python38Packages.backcall
• python38Packages.cffi
• python38Packages.chardet
• python38Packages.click
• python38Packages.cryptography
• python38Packages.entrypoints
• python38Packages.execnet
• python38Packages.flake8
• python38Packages.flaky
• python38Packages.fontforge
• python38Packages.freezegun
• python38Packages.gflags
• python38Packages.google_apputils
• python38Packages.gunicorn
• python38Packages.html5lib
• python38Packages.hypothesis
• python38Packages.iso8601
• python38Packages.isort
• python38Packages.jdcal
• python38Packages.jinja2
• python38Packages.junit-xml
• python38Packages.libevdev
• python38Packages.mccabe
• python38Packages.psutil
• python38Packages.py-cpuinfo
• python38Packages.pyasn1-modules
• python38Packages.pyftpdlib
• python38Packages.pygments
• python38Packages.pyopenssl
• python38Packages.pyroma
• python38Packages.pytest (python38Packages.pytest_5)
• python38Packages.pytest-asyncio
• python38Packages.pytest-benchmark
• python38Packages.pytest-expect
• python38Packages.pytest-flake8
• python38Packages.pytest-forked
• python38Packages.pytest-mock
• python38Packages.pytest-relaxed
• python38Packages.pytestCheckHook
• python38Packages.pytest_xdist (python38Packages.pytest_xdist_1)
• python38Packages.pytestcache
• python38Packages.pytestcov
• python38Packages.pytestrunner
• python38Packages.requests
• python38Packages.responses
• python38Packages.service-identity
• python38Packages.simplejson
• python38Packages.sphinx
• python38Packages.sshpubkeys
• python38Packages.text-unidecode
• python38Packages.urllib3
• python38Packages.validators
• python38Packages.webencodings
• python38Packages.whoosh
• shared-mime-info
• tarsnapper
• wayland
• wayland-protocols
• xlibsWrapper (xorg.xlibsWrapper)
• xorg.libXft

3 suggestions:

• warning: maintainers-missing

  Package does not have a maintainer. Consider adding yourself?

  Near pkgs/development/python-modules/Pygments/default.nix:35:5:

     |
  35 |     maintainers = with lib.maintainers; [ ];
     |     ^
  

• warning: missing-patch-comment

  Please add a comment on the line above, explaining the purpose of this patch.
  Near pkgs/development/python-modules/Pygments/default.nix:18:5:

     |
  18 |     (fetchpatch {
     |     ^
  

• warning: python-include-tests

  Consider adding a checkPhase for tests, or if not feasible, pythonImportsCheck.

  Near pkgs/development/python-modules/Pygments/default.nix:33:0:

     |
  33 |     description = "A generic syntax highlighter";
     | ^
  

---

Result of nixpkgs-review pr 117810 at a5ed349 run on aarch64-linux 1

674 packages marked as broken and skipped:

• Literate
• OVMF-CSM
• agdaPackages.iowa-stdlib
• aldor
• alliance
• ams-lv2
• amsn
• anki
• ankisyncd
• apfelgrid
• ...

16924 packages skipped due to time constraints:

• AusweisApp2
• DisnixWebService
• EmptyEpsilon
• Fabric
• MMA
• OVMF
• OVMF-secureBoot
• R
• SDL
• SDL2
• ...

86 packages built successfully:

• gtk-doc (gnome2.gtkdoc)
• python37Packages.alabaster
• python37Packages.apipkg
• python37Packages.async_generator
• python37Packages.click
• python37Packages.entrypoints
• python37Packages.execnet
• python37Packages.flake8
• python37Packages.flaky
• python37Packages.freezegun
• python37Packages.gflags
• python37Packages.google_apputils
• python37Packages.gunicorn
• python37Packages.iso8601
• python37Packages.jdcal
• python37Packages.jinja2
• python37Packages.mccabe
• python37Packages.py-cpuinfo
• python37Packages.pygments
• python37Packages.pytest (python37Packages.pytest_5)
• python37Packages.pytest-asyncio
• python37Packages.pytest-benchmark
• python37Packages.pytest-expect
• python37Packages.pytest-flake8
• python37Packages.pytest-forked
• python37Packages.pytest-mock
• python37Packages.pytest_xdist (python37Packages.pytest_xdist_1)
• python37Packages.pytestcov
• python37Packages.pytestrunner
• python37Packages.simplejson
• python37Packages.webencodings
• python38Packages.Babel
• python38Packages.alabaster
• python38Packages.apipkg
• python38Packages.async_generator
• python38Packages.backcall
• python38Packages.betamax
• python38Packages.cffi
• python38Packages.chardet
• python38Packages.click
• python38Packages.cryptography
• python38Packages.entrypoints
• python38Packages.execnet
• python38Packages.flake8
• python38Packages.flaky
• python38Packages.freezegun
• python38Packages.gflags
• python38Packages.google_apputils
• python38Packages.gunicorn
• python38Packages.html5lib
• python38Packages.hypothesis
• python38Packages.iso8601
• python38Packages.isort
• python38Packages.jdcal
• python38Packages.jinja2
• python38Packages.libevdev
• python38Packages.mccabe
• python38Packages.py-cpuinfo
• python38Packages.pyasn1-modules
• python38Packages.pyftpdlib
• python38Packages.pygments
• python38Packages.pyopenssl
• python38Packages.pyroma
• python38Packages.pytest (python38Packages.pytest_5)
• python38Packages.pytest-asyncio
• python38Packages.pytest-benchmark
• python38Packages.pytest-expect
• python38Packages.pytest-flake8
• python38Packages.pytest-forked
• python38Packages.pytest-mock
• python38Packages.pytest_xdist (python38Packages.pytest_xdist_1)
• python38Packages.pytestcache
• python38Packages.pytestcov
• python38Packages.pytestrunner
• python38Packages.requests
• python38Packages.responses
• python38Packages.send2trash
• python38Packages.service-identity
• python38Packages.simplejson
• python38Packages.sphinx
• python38Packages.text-unidecode
• python38Packages.urllib3
• python38Packages.validators
• python38Packages.webencodings
• python38Packages.whoosh
• tarsnapper

3 suggestions:

• warning: maintainers-missing

  Package does not have a maintainer. Consider adding yourself?

  Near pkgs/development/python-modules/Pygments/default.nix:35:5:

     |
  35 |     maintainers = with lib.maintainers; [ ];
     |     ^
  

• warning: missing-patch-comment

  Please add a comment on the line above, explaining the purpose of this patch.
  Near pkgs/development/python-modules/Pygments/default.nix:18:5:

     |
  18 |     (fetchpatch {
     |     ^
  

• warning: python-include-tests

  Consider adding a checkPhase for tests, or if not feasible, pythonImportsCheck.

  Near pkgs/development/python-modules/Pygments/default.nix:33:0:

     |
  33 |     description = "A generic syntax highlighter";
     | ^
  

[jonringer]

if the 2.5 bump doesn't have breaking changes, I would much rather just take that.

[risicle]

Between 2.6.1 and 2.7.4 there are a lot of "updated lexers", it's hard to know what lies behind all of those.

There is a

Deprecated JsonBareObjectLexer ...

in there

[mweinelt]

if the 2.5 bump doesn't have breaking changes, I would much rather just take that.

Not sure what the "2.5 bump" means. We have 2.5 as the last version with python2 support. We either backport that patch or mark it as vulnerable IMO.

[jonringer]

sorry, I meant a non breaking bump. I'm also okay with a patch.