Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095

Sat, 01 May 2021 08:27:24 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package python-babel

Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
https://bugs.debian.org/987824

Debdiff attached.

Please unblock python-babel/2.8.0+dfsg.1-7

Cheers,

Thomas Goirand (zigo)

diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog 
python-babel-2.8.0+dfsg.1/debian/changelog
--- python-babel-2.8.0+dfsg.1/debian/changelog  2021-01-21 13:21:26.000000000 
+0100
+++ python-babel-2.8.0+dfsg.1/debian/changelog  2021-05-01 17:13:14.000000000 
+0200
@@ -1,3 +1,12 @@
+python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
+
+  * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
+    to load arbitrary locale files on disk and execute arbitrary code. Applied
+    upstream patch: Run locale identifiers through `os.path.basename()`.
+    (Closes: #987824).
+
+ -- Thomas Goirand <z...@debian.org>  Sat, 01 May 2021 17:13:14 +0200
+
 python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
 
   * Fix doctest deprecation
diff -Nru python-babel-2.8.0+dfsg.1/debian/control 
python-babel-2.8.0+dfsg.1/debian/control
--- python-babel-2.8.0+dfsg.1/debian/control    2021-01-21 13:21:26.000000000 
+0100
+++ python-babel-2.8.0+dfsg.1/debian/control    2021-05-01 17:13:14.000000000 
+0200
@@ -5,7 +5,7 @@
 Uploaders:
  Christoph Haas <h...@debian.org>,
  Thomas Goirand <z...@debian.org>,
- Nilesh Patra <npatra...@gmail.com>
+ Nilesh Patra <nil...@debian.org>
 Build-Depends:
  debhelper-compat (= 13),
  dh-python,
diff -Nru 
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
 
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
--- 
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
       2021-05-01 17:13:14.000000000 +0200
@@ -0,0 +1,76 @@
+Description: CVE-2021-20095: Run locale identifiers through 
`os.path.basename()`
+Author: Aarni Koskela <a...@iki.fi>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Bug-Debian: https://bugs.debian.org/987824
+Origin: 
https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
+Last-Update: 2021-05-01
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
++    name = os.path.basename(name)
+     if name in _cache:
+         return True
+     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+     :raise `IOError`: if no locale data file is found for the given locale
+                       identifer, or one of the locales it inherits from
+     """
++    name = os.path.basename(name)
+     _cache_lock.acquire()
+     try:
+         data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+ 
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+ 
+ 
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+     localedata.locale_identifiers.cache = None
+     assert localedata.locale_identifiers()
+     assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++    """
++    Test that locale identifiers are cleaned up to avoid directory traversal.
++    """
++    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % 
random.randint(1, 99999))
++    with open(no_exist_name, "wb") as f:
++        pickle.dump({}, f)
++
++    try:
++        name = os.path.splitext(os.path.relpath(no_exist_name, 
localedata._dirname))[0]
++    except ValueError:
++        if sys.platform == "win32":
++            pytest.skip("unable to form relpath")
++        raise
++
++    assert not localedata.exists(name)
++    with pytest.raises(IOError):
++        localedata.load(name)
++    with pytest.raises(UnknownLocaleError):
++        Locale(name)
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series 
python-babel-2.8.0+dfsg.1/debian/patches/series
--- python-babel-2.8.0+dfsg.1/debian/patches/series     2021-01-21 
13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/series     2021-05-01 
17:13:14.000000000 +0200
@@ -4,3 +4,4 @@
 0004-Fix-utils-test.patch
 0005-fix-methods-changes-wrt-py3.9.patch
 0006-remove-doctest-deprecation.patch
+CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch

Reply via email to