Fix for code-injection vulnerability (CVE-2015-8557) from upstream.

From Rin Okuyama in PR 50661.

textproc/py-pygments/Makefile

@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.20 2015/05/22 08:18:01 adam Exp $
+# $NetBSD: Makefile,v 1.21 2016/01/17 14:22:11 wiz Exp $
 
 DISTNAME=	Pygments-2.0.2
+PKGREVISION=	1
 PKGNAME=	${PYPKGPREFIX}-${DISTNAME:tl}
 CATEGORIES=	textproc python
 MASTER_SITES=	http://pypi.python.org/packages/source/P/Pygments/
@@ -10,17 +11,14 @@ HOMEPAGE=	http://pygments.org/
 COMMENT=	Python syntax highlighter
 LICENSE=	2-clause-bsd
 
+# test dependencies
+BUILD_DEPENDS+=	${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose
+BUILD_DEPENDS+=	${PYPKGPREFIX}-sphinx-[0-9]*:../../textproc/py-sphinx
+
 USE_LANGUAGES=		# none
 PLIST_SUBST+=		PYVERSSUFFIX=${PYVERSSUFFIX}
 FILES_SUBST+=		PYVERSSUFFIX=${PYVERSSUFFIX}
 
-.include "../../mk/bsd.prefs.mk"
-
-.if !empty(PKGSRC_RUN_TEST:M[yY][eE][sS])
-BUILD_DEPENDS+=	${PYPKGPREFIX}-nose-[0-9]*:../../devel/py-nose
-TEST_TARGET=	test
-.endif
-
 post-install:
 	${MV} ${DESTDIR}${PREFIX}/bin/pygmentize ${DESTDIR}${PREFIX}/bin/pygmentize${PYVERSSUFFIX}
 

textproc/py-pygments/distinfo

@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.12 2015/11/04 02:00:04 agc Exp $
+$NetBSD: distinfo,v 1.13 2016/01/17 14:22:11 wiz Exp $
 
 SHA1 (Pygments-2.0.2.tar.gz) = fe2c8178a039b6820a7a86b2132a2626df99c7f8
 RMD160 (Pygments-2.0.2.tar.gz) = 196e926dc40ffc34a68783882cbe3f0f0aa8f6d8
 SHA512 (Pygments-2.0.2.tar.gz) = b58e2cc535ba3f1fda7cb147e12af128bc2755de56cf465f8f1d642730eaef50c06551cc4cc44f25f726b00f3f1c9c2078977233b11c0b6a7e1add6a4069c27e
 Size (Pygments-2.0.2.tar.gz) = 3462280 bytes
+SHA1 (patch-img.py) = 420a59570c628a3056e585b932b30ac1dbde23a1

textproc/py-pygments/patches/patch-img.py

@@ -0,0 +1,63 @@
+$NetBSD: patch-img.py,v 1.1 2016/01/17 14:22:11 wiz Exp $
+
+Fix for code-injection vulnerability (CVE-2015-8557) from upstream.
+
+The following patch includes changes made by commits 6b4baae, 0036ab1,
+3982887, and 91624f2. Avoid the shell entirely when finding fonts, and
+misc bug fixes.
+
+See more details:
+https://bitbucket.org/birkenfeld/pygments-main/history-node/e0bf451e64fd/pygments/formatters/img.py
+
+--- pygments/formatters/img.py.orig	2016-01-17 02:49:19.000000000 +0900
++++ pygments/formatters/img.py	2016-01-17 02:49:23.000000000 +0900
+@@ -5,7 +5,7 @@
+ 
+     Formatter for Pixmap output.
+ 
+-    :copyright: Copyright 2006-2014 by the Pygments team, see AUTHORS.
++    :copyright: Copyright 2006-2015 by the Pygments team, see AUTHORS.
+     :license: BSD, see LICENSE for details.
+ """
+ 
+@@ -15,6 +15,8 @@
+ from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \
+     get_choice_opt, xrange
+ 
++import subprocess
++
+ # Import this carefully
+ try:
+     from PIL import Image, ImageDraw, ImageFont
+@@ -75,16 +77,13 @@
+             self._create_nix()
+ 
+     def _get_nix_font_path(self, name, style):
+-        try:
+-            from commands import getstatusoutput
+-        except ImportError:
+-            from subprocess import getstatusoutput
+-        exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
+-                                    (name, style))
+-        if not exit:
+-            lines = out.splitlines()
++        proc = subprocess.Popen(['fc-list', "%s:style=%s" % (name, style), 'file'],
++                                stdout=subprocess.PIPE, stderr=None)
++        stdout, _ = proc.communicate()
++        if proc.returncode == 0:
++            lines = stdout.splitlines()
+             if lines:
+-                path = lines[0].strip().strip(':')
++                path = lines[0].decode().strip().strip(':')
+                 return path
+ 
+     def _create_nix(self):
+@@ -197,7 +196,7 @@
+         bold and italic fonts will be generated.  This really should be a
+         monospace font to look sane.
+ 
+-        Default: "Bitstream Vera Sans Mono"
++        Default: "Bitstream Vera Sans Mono" on Windows, Courier New on \*nix
+ 
+     `font_size`
+         The font size in points to be used.