diff --git a/.babel.metadata b/.babel.metadata new file mode 100644 index 0000000..6b5396b --- /dev/null +++ b/.babel.metadata @@ -0,0 +1 @@ +9adbd49864392713c6a3080aeb0a9e6432577277 SOURCES/Babel-2.5.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57db03c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Babel-2.5.1.tar.gz diff --git a/SOURCES/CVE-2021-20095.patch b/SOURCES/CVE-2021-20095.patch new file mode 100644 index 0000000..8b4c079 --- /dev/null +++ b/SOURCES/CVE-2021-20095.patch @@ -0,0 +1,128 @@ +diff --git a/babel/localedata.py b/babel/localedata.py +index 4b6d3b6..080b723 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -13,6 +13,8 @@ + """ + + import os ++import re ++import sys + import threading + from collections import MutableMapping + from itertools import chain +@@ -33,6 +35,7 @@ def get_base_dir(): + _cache = {} + _cache_lock = threading.RLock() + _dirname = os.path.join(get_base_dir(), 'locale-data') ++_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I) + + + def normalize_locale(name): +@@ -49,6 +52,22 @@ def normalize_locale(name): + return locale_id + + ++def resolve_locale_filename(name): ++ """ ++ Resolve a locale identifier to a `.dat` path on disk. ++ """ ++ ++ # Clean up any possible relative paths. ++ name = os.path.basename(name) ++ ++ # Ensure we're not left with one of the Windows reserved names. ++ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]): ++ raise ValueError("Name %s is invalid on Windows" % name) ++ ++ # Build the path. ++ return os.path.join(_dirname, '%s.dat' % name) ++ ++ + def exists(name): + """Check whether locale data is available for the given locale. + +@@ -60,7 +79,7 @@ def exists(name): + return False + if name in _cache: + return True +- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) ++ file_found = os.path.exists(resolve_locale_filename(name)) + return True if file_found else bool(normalize_locale(name)) + + +@@ -102,6 +121,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +@@ -119,7 +139,7 @@ def load(name, merge_inherited=True): + else: + parent = '_'.join(parts[:-1]) + data = load(parent).copy() +- filename = os.path.join(_dirname, '%s.dat' % name) ++ filename = resolve_locale_filename(name) + with open(filename, 'rb') as fileobj: + if name != 'root' and merge_inherited: + merge(data, pickle.load(fileobj)) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index 3599b21..173e7a3 100644 +--- a/tests/test_localedata.py ++++ b/tests/test_localedata.py +@@ -11,12 +11,18 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + import sys + +-from babel import localedata, numbers ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError, numbers + + class MergeResolveTestCase(unittest.TestCase): + +@@ -117,3 +123,33 @@ def test_locale_argument_acceptance(): + assert normalized_locale == None + locale_exist = localedata.exists(['en_us', None]) + assert locale_exist == False ++ ++def test_locale_name_cleanup(): ++ """ ++ Test that locale identifiers are cleaned up to avoid directory traversal. ++ """ ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) ++ with open(no_exist_name, "wb") as f: ++ pickle.dump({}, f) ++ ++ try: ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++ except ValueError: ++ if sys.platform == "win32": ++ pytest.skip("unable to form relpath") ++ raise ++ ++ assert not localedata.exists(name) ++ with pytest.raises(IOError): ++ localedata.load(name) ++ with pytest.raises(UnknownLocaleError): ++ Locale(name) ++ ++ ++@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test") ++def test_reserved_locale_names(): ++ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"): ++ with pytest.raises(ValueError): ++ localedata.load(name) ++ with pytest.raises(ValueError): ++ Locale(name) diff --git a/SOURCES/babel-2.3.4-remove-pytz-version.patch b/SOURCES/babel-2.3.4-remove-pytz-version.patch new file mode 100644 index 0000000..9025179 --- /dev/null +++ b/SOURCES/babel-2.3.4-remove-pytz-version.patch @@ -0,0 +1,15 @@ +diff -up Babel-2.3.4/setup.py.orig Babel-2.3.4/setup.py +--- Babel-2.3.4/setup.py.orig 2016-04-11 11:58:25.000000000 +0200 ++++ Babel-2.3.4/setup.py 2016-04-25 13:35:54.458765892 +0200 +@@ -59,7 +59,10 @@ setup( + # This version identifier is currently necessary as + # pytz otherwise does not install on pip 1.4 or + # higher. +- 'pytz>=0a', ++ ### But the version confuses setuptools 8 and higher so remove it in the ++ ### system package ++ #'pytz>=0a', ++ 'pytz', + ], + + cmdclass={'import_cldr': import_cldr}, diff --git a/SPECS/babel.spec b/SPECS/babel.spec new file mode 100644 index 0000000..78fc79f --- /dev/null +++ b/SPECS/babel.spec @@ -0,0 +1,396 @@ +%global srcname Babel +%global sum Library for internationalizing Python applications + +# On fedora 24 and beyond we want to use the python3 version by default +# (Only reason earlier versions aren't switched is that we didn't push it out +# before the release) +%if 0%{?fedora} >= 24 || 0%{?rhel} > 7 +%global default_python 3 +%else +%global default_python 2 +%endif + +# There is some bootstrapping involved when upgrading Python 3 +# First of all we need babel (this package) to use sphinx +# And pytest is at this point not yet ready +%global bootstrap 0 + +Name: babel +Version: 2.5.1 +Release: 6%{?dist} +Summary: Tools for internationalizing Python applications + +License: BSD +URL: http://babel.pocoo.org/ +Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz +Patch0: babel-2.3.4-remove-pytz-version.patch + +# Fix CVE-2021-20095: relative path traversal allows an attacker to load +# arbitrary locale files on disk and execute arbitrary code +# Resolved upstream: https://github.com/python-babel/babel/pull/782/ +# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615 +Patch1: CVE-2021-20095.patch + +BuildArch: noarch + +%if 0%{?rhel} && 0%{?rhel} <= 7 +BuildRequires: python2-devel +BuildRequires: python2-setuptools +BuildRequires: python2-pytz +BuildRequires: python2-pytest +%endif +BuildRequires: python3-devel +BuildRequires: platform-python-setuptools +%if !%{bootstrap} +BuildRequires: python3-pytz +BuildRequires: python3-pytest +%endif + +# build the documentation +BuildRequires: make + +%if %{default_python} >= 3 +%if %{bootstrap} +BuildRequires: python2-sphinx +%else +BuildRequires: python3-sphinx +%endif +Requires: python3-babel +Requires: platform-python-setuptools +%else +BuildRequires: python2-sphinx +Requires: python2-babel +Requires: python2-setuptools +%endif + + +%description +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. + +%package -n python2-babel +Summary: %sum + +Requires: python2-setuptools +Requires: pytz + +%{?python_provide:%python_provide python2-babel} + +%description -n python2-babel +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. + +%package -n python3-babel +Summary: %sum + +Requires: platform-python-setuptools +Requires: python3-pytz + +%{?python_provide:%python_provide python3-babel} + +%description -n python3-babel +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. + +%package doc +Summary: Documentation for Babel +Provides: python-babel-doc = %{version}-%{release} +Provides: python2-babel-doc = %{version}-%{release} +Provides: python3-babel-doc = %{version}-%{release} + +%description doc +Documentation for Babel + +%prep +%autosetup -n %{srcname}-%{version} -p1 + +%build +%if 0%{?rhel} && 0%{?rhel} <= 7 +%py2_build +%endif +%py3_build + +BUILDDIR="$PWD/built-docs" +rm -rf "$BUILDDIR" +pushd docs +make \ +%if %{default_python} >= 3 && !%{bootstrap} + SPHINXBUILD=sphinx-build-3 \ +%else + SPHINXBUILD=sphinx-build \ +%endif + BUILDDIR="$BUILDDIR" \ + html +popd +rm -f "$BUILDDIR/html/.buildinfo" + +%install +%if %{default_python} >= 3 +%if 0%{?rhel} && 0%{?rhel} <= 7 +%py2_install +%endif +%py3_install +%else +%py3_install +%py2_install +%endif + +%check + +# test_frontend needs python-freezegun +rm tests/messages/test_frontend.py + +export TZ=America/New_York +%if 0%{?rhel} && 0%{?rhel} <= 7 +%{__python2} -m pytest +%endif +%if !%{bootstrap} +%{__python3} -m pytest +%endif + +%files +%doc CHANGES AUTHORS +%license LICENSE +%{_bindir}/pybabel + +%if 0%{?rhel} && 0%{?rhel} <= 7 +%files -n python2-babel +%{python2_sitelib}/Babel-%{version}-py*.egg-info +%{python2_sitelib}/babel +%endif + +%files -n python3-babel +%{python3_sitelib}/Babel-%{version}-py*.egg-info +%{python3_sitelib}/babel + +%files doc +%doc built-docs/html/* + +%changelog +* Fri May 07 2021 Charalampos Stratakis - 2.5.1-6 +- Fix CVE-2021-20095 +Resolves: rhbz#1955615 + +* Thu Mar 28 2019 Nils Philippsen - 2.5.1-5 +- make spec file work without %%rhel being defined + +* Tue Mar 26 2019 Nils Philippsen - 2.5.1-4 +- depend on platform-python-setuptools rather than python3-setuptools (#1650487) + +* Mon Jun 18 2018 Petr Viktorin - 2.5.1-3 +- Remove the freezegun dependency + +* Wed Feb 07 2018 Fedora Release Engineering - 2.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Dec 15 2017 Felix Schwarz - 2.5.1-1 +- update to upstream version 2.5.1 + +* Fri Dec 15 2017 Iryna Shcherbina - 2.3.4-7 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Wed Jul 26 2017 Fedora Release Engineering - 2.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Miro Hrončok - 2.3.4-4 +- Finish bootstrapping for Python 3.6 + +* Tue Dec 13 2016 Miro Hrončok - 2.3.4-3 +- Rebuild for Python 3.6 +- Add "bootstrap" conditions + +* Tue Jul 19 2016 Fedora Release Engineering - 2.3.4-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue May 31 2016 Nils Philippsen +- fix source URL + +* Mon Apr 25 2016 Nils Philippsen - 2.3.4-1 +- version 2.3.4 +- always build Python3 subpackages +- remove obsolete packaging constructs +- update to current Python packaging guidelines +- build docs non-destructively +- tag license file as %%license +- use %%python_provide macro only if present +- update remove-pytz-version patch +- fix build dependencies +- set TZ in %%check + +* Wed Feb 03 2016 Fedora Release Engineering - 1.3-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 1.3-11 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Nov 6 2015 Toshio Kuratomi - 1.3-10 +- Also make sure that the babel package that has pybabel depends on the correct + packages (python2 packages on F23 or less and python3 packages on F24 and + greater.) + +* Wed Nov 4 2015 Toshio Kuratomi - 1.3-9 +- Install the python3 version of pybabel on Fedora 24+ to match with Fedora's + default python version + +* Wed Jun 17 2015 Fedora Release Engineering - 1.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Dec 17 2014 Toshio Kuratomi - 1.3-7 +- Remove pytz version requirement in egginfo as it confuses newer setuptools + +* Mon Jun 30 2014 Toshio Kuratomi - 1.3-6 +- Change python-setuptools-devel BR into python-setuptools + +* Sat Jun 07 2014 Fedora Release Engineering - 1.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kalev Lember - 1.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Wed Apr 02 2014 Nils Philippsen - 1.3-3 +- fix dependencies (#1083470) + +* Sun Oct 06 2013 Felix Schwarz - 1.3-2 +- enable python3 subpackage + +* Wed Oct 02 2013 Felix Schwarz - 1.3-1 +- update to Babel 1.3 +- disabled %%check as it tries to download the CLDR + +* Sat Aug 03 2013 Fedora Release Engineering - 0.9.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jun 26 2013 Jeffrey C. Ollie - 0.9.6-8 +- split documentation off to a separate subpackage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.9.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Oct 18 2012 Nils Philippsen - 0.9.6-6 +- run tests in %%check +- add pytz build requirement for tests + +* Sat Aug 04 2012 David Malcolm - 0.9.6-5 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Wed Aug 01 2012 Felix Schwarz - 0.9.6-4 +- disable building of non-functional python3 subpackage (#761583) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 0.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jun 07 2011 Nils Philippsen - 0.9.6-1 +- version 0.9.6: + * Backport r493-494: documentation typo fixes. + * Make the CLDR import script work with Python 2.7. + * Fix various typos. + * Fixed Python 2.3 compatibility (ticket #146, #233). + * Sort output of list-locales. + * Make the POT-Creation-Date of the catalog being updated equal to + POT-Creation-Date of the template used to update (ticket #148). + * Use a more explicit error message if no option or argument (command) is + passed to pybabel (ticket #81). + * Keep the PO-Revision-Date if it is not the default value (ticket #148). + * Make --no-wrap work by reworking --width's default and mimic xgettext's + behaviour of always wrapping comments (ticket #145). + * Fixed negative offset handling of Catalog._set_mime_headers (ticket #165). + * Add --project and --version options for commandline (ticket #173). + * Add a __ne__() method to the Local class. + * Explicitly sort instead of using sorted() and don't assume ordering + (Python 2.3 and Jython compatibility). + * Removed ValueError raising for string formatting message checkers if the + string does not contain any string formattings (ticket #150). + * Fix Serbian plural forms (ticket #213). + * Small speed improvement in format_date() (ticket #216). + * Fix number formatting for locales where CLDR specifies alt or draft + items (ticket #217) + * Fix bad check in format_time (ticket #257, reported with patch and tests by + jomae) + * Fix so frontend.CommandLineInterface.run does not accumulate logging + handlers (#227, reported with initial patch by dfraser) + * Fix exception if environment contains an invalid locale setting (#200) +- install python2 rather than python3 executable (#710880) + +* Mon Feb 07 2011 Fedora Release Engineering - 0.9.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Aug 26 2010 Jeffrey C. Ollie - 0.9.5-3 +- Add python3 subpackage + +* Wed Jul 21 2010 David Malcolm - 0.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed Apr 7 2010 Jeffrey C. Ollie - 0.9.5-1 +- This release contains a small number of bugfixes over the 0.9.4 +- release. +- +- What's New: +- ----------- +- * Fixed the case where messages containing square brackets would break +- with an unpack error +- * Fuzzy matching regarding plurals should *NOT* be checked against +- len(message.id) because this is always 2, instead, it's should be +- checked against catalog.num_plurals (ticket #212). + +* Fri Jul 24 2009 Fedora Release Engineering - 0.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Mar 28 2009 Robert Scheck - 0.9.4-4 +- Added missing requires to python-setuptools for pkg_resources + +* Mon Feb 23 2009 Fedora Release Engineering - 0.9.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 0.9.4-2 +- Rebuild for Python 2.6 + +* Mon Aug 25 2008 Jeffrey C. Ollie - 0.9.4-1 +- Update to 0.9.4 + +* Thu Jul 10 2008 Jeffrey C. Ollie - 0.9.3-1 +- Update to 0.9.3 + +* Sun Dec 16 2007 Jeffrey C. Ollie - 0.9.1-1 +- Update to 0.9.1 + +* Tue Aug 28 2007 Jeffrey C. Ollie - 0.9-2 +- BR python-setuptools-devel + +* Mon Aug 27 2007 Jeffrey C. Ollie - 0.9-1 +- Update to 0.9 + +* Mon Jul 2 2007 Jeffrey C. Ollie - 0.8.1-1 +- Update to 0.8.1 +- Remove upstreamed patch. + +* Fri Jun 29 2007 Jeffrey C. Ollie - 0.8-3 +- Replace patch with one that actually applies. + +* Fri Jun 29 2007 Jeffrey C. Ollie - 0.8-2 +- Apply upstream patch to rename command line script to "pybabel" - BZ#246208 + +* Thu Jun 21 2007 Jeffrey C. Ollie - 0.8-1 +- First version for Fedora +