Control: tags -1 moreinfo confirmed On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package python-babel > > Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details: > https://bugs.debian.org/987824 > > Debdiff attached. > > Please unblock python-babel/2.8.0+dfsg.1-7
Please remove the moreinfo tag once the version is available in unstable. Cheers > > Cheers, > > Thomas Goirand (zigo) > diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog > python-babel-2.8.0+dfsg.1/debian/changelog > --- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 > 13:21:26.000000000 +0100 > +++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 > 17:13:14.000000000 +0200 > @@ -1,3 +1,12 @@ > +python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium > + > + * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker > + to load arbitrary locale files on disk and execute arbitrary code. > Applied > + upstream patch: Run locale identifiers through `os.path.basename()`. > + (Closes: #987824). > + > + -- Thomas Goirand <z...@debian.org> Sat, 01 May 2021 17:13:14 +0200 > + > python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium > > * Fix doctest deprecation > diff -Nru python-babel-2.8.0+dfsg.1/debian/control > python-babel-2.8.0+dfsg.1/debian/control > --- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.000000000 > +0100 > +++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.000000000 > +0200 > @@ -5,7 +5,7 @@ > Uploaders: > Christoph Haas <h...@debian.org>, > Thomas Goirand <z...@debian.org>, > - Nilesh Patra <npatra...@gmail.com> > + Nilesh Patra <nil...@debian.org> > Build-Depends: > debhelper-compat (= 13), > dh-python, > diff -Nru > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > --- > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > 2021-05-01 17:13:14.000000000 +0200 > @@ -0,0 +1,76 @@ > +Description: CVE-2021-20095: Run locale identifiers through > `os.path.basename()` > +Author: Aarni Koskela <a...@iki.fi> > +Date: Wed, 28 Apr 2021 10:33:40 +0300 > +Bug-Debian: https://bugs.debian.org/987824 > +Origin: > https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch > +Last-Update: 2021-05-01 > + > +diff --git a/babel/localedata.py b/babel/localedata.py > +index f4771d1f..11085490 100644 > +--- a/babel/localedata.py > ++++ b/babel/localedata.py > +@@ -47,6 +47,7 @@ def exists(name): > + """ > + if not name or not isinstance(name, string_types): > + return False > ++ name = os.path.basename(name) > + if name in _cache: > + return True > + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) > +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): > + :raise `IOError`: if no locale data file is found for the given locale > + identifer, or one of the locales it inherits from > + """ > ++ name = os.path.basename(name) > + _cache_lock.acquire() > + try: > + data = _cache.get(name) > +diff --git a/tests/test_localedata.py b/tests/test_localedata.py > +index 83cd6699..9cb4282e 100644 > +--- a/tests/test_localedata.py > ++++ b/tests/test_localedata.py > +@@ -11,11 +11,17 @@ > + # individuals. For the exact contribution history, see the revision > + # history and logs, available at http://babel.edgewall.org/log/. > + > ++import os > ++import pickle > ++import sys > ++import tempfile > + import unittest > + import random > + from operator import methodcaller > + > +-from babel import localedata > ++import pytest > ++ > ++from babel import localedata, Locale, UnknownLocaleError > + > + > + class MergeResolveTestCase(unittest.TestCase): > +@@ -131,3 +137,25 @@ def listdir_spy(*args): > + localedata.locale_identifiers.cache = None > + assert localedata.locale_identifiers() > + assert len(listdir_calls) == 2 > ++ > ++ > ++def test_locale_name_cleanup(): > ++ """ > ++ Test that locale identifiers are cleaned up to avoid directory > traversal. > ++ """ > ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % > random.randint(1, 99999)) > ++ with open(no_exist_name, "wb") as f: > ++ pickle.dump({}, f) > ++ > ++ try: > ++ name = os.path.splitext(os.path.relpath(no_exist_name, > localedata._dirname))[0] > ++ except ValueError: > ++ if sys.platform == "win32": > ++ pytest.skip("unable to form relpath") > ++ raise > ++ > ++ assert not localedata.exists(name) > ++ with pytest.raises(IOError): > ++ localedata.load(name) > ++ with pytest.raises(UnknownLocaleError): > ++ Locale(name) > diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series > python-babel-2.8.0+dfsg.1/debian/patches/series > --- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21 > 13:21:26.000000000 +0100 > +++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01 > 17:13:14.000000000 +0200 > @@ -4,3 +4,4 @@ > 0004-Fix-utils-test.patch > 0005-fix-methods-changes-wrt-py3.9.patch > 0006-remove-doctest-deprecation.patch > +CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch -- Sebastian Ramacher
signature.asc
Description: PGP signature
