From 85b5f86a21f60b0e460ad48f14ca3cccfe61d9d5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 06 2021 00:48:34 +0000 Subject: import babel-2.5.1-7.el8 --- diff --git a/SOURCES/CVE-2021-20095.patch b/SOURCES/CVE-2021-20095.patch new file mode 100644 index 0000000..8b4c079 --- /dev/null +++ b/SOURCES/CVE-2021-20095.patch @@ -0,0 +1,128 @@ +diff --git a/babel/localedata.py b/babel/localedata.py +index 4b6d3b6..080b723 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -13,6 +13,8 @@ + """ + + import os ++import re ++import sys + import threading + from collections import MutableMapping + from itertools import chain +@@ -33,6 +35,7 @@ def get_base_dir(): + _cache = {} + _cache_lock = threading.RLock() + _dirname = os.path.join(get_base_dir(), 'locale-data') ++_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I) + + + def normalize_locale(name): +@@ -49,6 +52,22 @@ def normalize_locale(name): + return locale_id + + ++def resolve_locale_filename(name): ++ """ ++ Resolve a locale identifier to a `.dat` path on disk. ++ """ ++ ++ # Clean up any possible relative paths. ++ name = os.path.basename(name) ++ ++ # Ensure we're not left with one of the Windows reserved names. ++ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]): ++ raise ValueError("Name %s is invalid on Windows" % name) ++ ++ # Build the path. ++ return os.path.join(_dirname, '%s.dat' % name) ++ ++ + def exists(name): + """Check whether locale data is available for the given locale. + +@@ -60,7 +79,7 @@ def exists(name): + return False + if name in _cache: + return True +- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) ++ file_found = os.path.exists(resolve_locale_filename(name)) + return True if file_found else bool(normalize_locale(name)) + + +@@ -102,6 +121,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +@@ -119,7 +139,7 @@ def load(name, merge_inherited=True): + else: + parent = '_'.join(parts[:-1]) + data = load(parent).copy() +- filename = os.path.join(_dirname, '%s.dat' % name) ++ filename = resolve_locale_filename(name) + with open(filename, 'rb') as fileobj: + if name != 'root' and merge_inherited: + merge(data, pickle.load(fileobj)) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index 3599b21..173e7a3 100644 +--- a/tests/test_localedata.py ++++ b/tests/test_localedata.py +@@ -11,12 +11,18 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + import sys + +-from babel import localedata, numbers ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError, numbers + + class MergeResolveTestCase(unittest.TestCase): + +@@ -117,3 +123,33 @@ def test_locale_argument_acceptance(): + assert normalized_locale == None + locale_exist = localedata.exists(['en_us', None]) + assert locale_exist == False ++ ++def test_locale_name_cleanup(): ++ """ ++ Test that locale identifiers are cleaned up to avoid directory traversal. ++ """ ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) ++ with open(no_exist_name, "wb") as f: ++ pickle.dump({}, f) ++ ++ try: ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++ except ValueError: ++ if sys.platform == "win32": ++ pytest.skip("unable to form relpath") ++ raise ++ ++ assert not localedata.exists(name) ++ with pytest.raises(IOError): ++ localedata.load(name) ++ with pytest.raises(UnknownLocaleError): ++ Locale(name) ++ ++ ++@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test") ++def test_reserved_locale_names(): ++ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"): ++ with pytest.raises(ValueError): ++ localedata.load(name) ++ with pytest.raises(ValueError): ++ Locale(name) diff --git a/SPECS/babel.spec b/SPECS/babel.spec index f273769..541724d 100644 --- a/SPECS/babel.spec +++ b/SPECS/babel.spec @@ -17,7 +17,7 @@ Name: babel Version: 2.5.1 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Tools for internationalizing Python applications License: BSD @@ -25,6 +25,12 @@ URL: http://babel.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz Patch0: babel-2.3.4-remove-pytz-version.patch +# Fix CVE-2021-20095: relative path traversal allows an attacker to load +# arbitrary locale files on disk and execute arbitrary code +# Resolved upstream: https://github.com/python-babel/babel/pull/782/ +# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615 +Patch1: CVE-2021-20095.patch + BuildArch: noarch %if 0%{?rhel} && 0%{?rhel} <= 7 @@ -111,7 +117,7 @@ Provides: python3-babel-doc = %{version}-%{release} Documentation for Babel %prep -%autosetup -n %{srcname}-%{version} +%autosetup -n %{srcname}-%{version} -p1 %build %if 0%{?rhel} && 0%{?rhel} <= 7 @@ -151,16 +157,15 @@ rm tests/messages/test_frontend.py export TZ=America/New_York %if 0%{?rhel} && 0%{?rhel} <= 7 -%{__python2} setup.py test +%{__python2} -m pytest %endif %if !%{bootstrap} -%{__python3} setup.py test +%{__python3} -m pytest %endif %files %doc CHANGES AUTHORS %license LICENSE -%{_bindir}/pybabel %if 0%{?rhel} && 0%{?rhel} <= 7 %files -n python2-babel @@ -169,6 +174,7 @@ export TZ=America/New_York %endif %files -n python3-babel +%{_bindir}/pybabel %{python3_sitelib}/Babel-%{version}-py*.egg-info %{python3_sitelib}/babel @@ -176,6 +182,15 @@ export TZ=America/New_York %doc built-docs/html/* %changelog +* Thu Jul 15 2021 Tomas Orsava - 2.5.1-7 +- Include the /usr/bin/pybabel binary that runs on Python 3.6 in the + python3-babel package +Resolves: rhbz#1967173 + +* Fri May 07 2021 Charalampos Stratakis - 2.5.1-6 +- Fix CVE-2021-20095 +Resolves: rhbz#1955615 + * Thu Mar 28 2019 Nils Philippsen - 2.5.1-5 - make spec file work without %%rhel being defined