{"id":"MGASA-2015-0456","summary":"Updated python-pygments packages fix security vulnerability","details":"An unsafe use of string concatenation in a shell string occurs in\nFontManager. If the developer allows the attacker to choose the font and\noutputs an image, the attacker can execute any shell command on the remote\nsystem. The name variable injected comes from the constructor of\nFontManager, which is invoked by ImageFormatter from options\n(rhbz#1276321).\n","modified":"2026-04-16T04:28:35.644450Z","published":"2015-11-26T20:47:39Z","references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0456.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17165"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-November/171882.html"}],"affected":[{"package":{"name":"python-pygments","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/python-pygments?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6-8.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0456.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}