diff --git a/SOURCES/CVE-2020-28493.patch b/SOURCES/CVE-2020-28493.patch
new file mode 100644
index 0000000..62047b8
--- /dev/null
+++ b/SOURCES/CVE-2020-28493.patch
@@ -0,0 +1,133 @@
+From 2b76a5a3aa898fd1621c72c6da935cddfb484424 Mon Sep 17 00:00:00 2001
+From: Lumir Balhar <lbalhar@redhat.com>
+Date: Fri, 12 Mar 2021 14:34:06 +0100
+Subject: [PATCH] CVE-2020-28493
+
+---
+ Jinja2-2.10.1/jinja2/utils.py | 94 +++++++++++++++++++++--------------
+ 1 file changed, 56 insertions(+), 38 deletions(-)
+
+diff --git a/Jinja2-2.10.1/jinja2/utils.py b/Jinja2-2.10.1/jinja2/utils.py
+index 502a311..25dd78f 100644
+--- a/Jinja2-2.10.1/jinja2/utils.py
++++ b/Jinja2-2.10.1/jinja2/utils.py
+@@ -12,24 +12,12 @@ import re
+ import json
+ import errno
+ from collections import deque
++from string import ascii_letters as _letters
++from string import digits as _digits
+ from threading import Lock
+ from jinja2._compat import text_type, string_types, implements_iterator, \
+ url_quote
+
+-
+-_word_split_re = re.compile(r'(\s+)')
+-_punctuation_re = re.compile(
+- '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
+- '|'.join(map(re.escape, ('(', '<', '<'))),
+- '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '>')))
+- )
+-)
+-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
+-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
+-_entity_re = re.compile(r'&([^;]+);')
+-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-_digits = '0123456789'
+-
+ # special singleton representing missing values for the runtime
+ missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
+
+@@ -203,35 +191,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
+ trim_url = lambda x, limit=trim_url_limit: limit is not None \
+ and (x[:limit] + (len(x) >=limit and '...'
+ or '')) or x
+- words = _word_split_re.split(text_type(escape(text)))
++ words = re.split(r"(\s+)", text_type(escape(text)))
+ rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
+ target_attr = target and ' target="%s"' % escape(target) or ''
+
+ for i, word in enumerate(words):
+- match = _punctuation_re.match(word)
++ head, middle, tail = "", word, ""
++ match = re.match(r"^([(<]|<)+", middle)
++
+ if match:
+- lead, middle, trail = match.groups()
+- if middle.startswith('www.') or (
+- '@' not in middle and
+- not middle.startswith('http://') and
+- not middle.startswith('https://') and
+- len(middle) > 0 and
+- middle[0] in _letters + _digits and (
+- middle.endswith('.org') or
+- middle.endswith('.net') or
+- middle.endswith('.com')
+- )):
+- middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
+- rel_attr, target_attr, trim_url(middle))
+- if middle.startswith('http://') or \
+- middle.startswith('https://'):
+- middle = '<a href="%s"%s%s>%s</a>' % (middle,
+- rel_attr, target_attr, trim_url(middle))
+- if '@' in middle and not middle.startswith('www.') and \
+- not ':' in middle and _simple_email_re.match(middle):
+- middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
+- if lead + middle + trail != word:
+- words[i] = lead + middle + trail
++ head = match.group()
++ middle = middle[match.end() :]
++
++ # Unlike lead, which is anchored to the start of the string,
++ # need to check that the string ends with any of the characters
++ # before trying to match all of them, to avoid backtracking.
++ if middle.endswith((")", ">", ".", ",", "\n", ">")):
++ match = re.search(r"([)>.,\n]|>)+$", middle)
++
++ if match:
++ tail = match.group()
++ middle = middle[: match.start()]
++
++ if middle.startswith("www.") or (
++ "@" not in middle
++ and not middle.startswith("http://")
++ and not middle.startswith("https://")
++ and len(middle) > 0
++ and middle[0] in _letters + _digits
++ and (
++ middle.endswith(".org")
++ or middle.endswith(".net")
++ or middle.endswith(".com")
++ )
++ ):
++ middle = '<a href="http://%s"%s%s>%s</a>' % (
++ middle,
++ rel_attr,
++ target_attr,
++ trim_url(middle),
++ )
++
++ if middle.startswith("http://") or middle.startswith("https://"):
++ middle = '<a href="%s"%s%s>%s</a>' % (
++ middle,
++ rel_attr,
++ target_attr,
++ trim_url(middle),
++ )
++
++ if (
++ "@" in middle
++ and not middle.startswith("www.")
++ and ":" not in middle
++ and re.match(r"^\S@\w[\w.-]*\.\w$", middle)
++ ):
++ middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
++
++ words[i] = head + middle + tail
++
+ return u''.join(words)
+
+
+--
+2.29.2
+
diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec
index 5bfee7c..e1cb83c 100644
--- a/SPECS/python-jinja2.spec
+++ b/SPECS/python-jinja2.spec
@@ -27,13 +27,19 @@
Name: python-jinja2
Version: 2.10.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: General purpose template engine
Group: Development/Languages
License: BSD
URL: http://jinja.pocoo.org/
Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz
+# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
+# The patch is rebased to the old project structure.
+# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3
+# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707
+Patch0: CVE-2020-28493.patch
+
BuildArch: noarch
%description
@@ -108,6 +114,9 @@ environments.
%prep
%setup -qc -n Jinja2-%{version}
+
+%patch0 -p1
+
# cleanup
find Jinja2-%{version} -name '*.pyo' -o -name '*.pyc' -delete
@@ -208,13 +217,17 @@ popd
%changelog
+* Fri Mar 12 2021 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-3
+- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern
+Resolves: rhbz#1928707
+
* Tue Apr 30 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-2
- Rebuild of package to go through gating
-- Resolves: rhbz#1701300
+- Resolves: rhbz#1701301
* Thu Apr 25 2019 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-1
- Rebase to 2.10.1 (security update) to fix CVE-2019-10906
-- Resolves: rhbz#1701300
+- Resolves: rhbz#1701301
* Fri Nov 16 2018 Lumír Balhar <lbalhar@redhat.com> - 2.10-9
- Require platform-python-setuptools instead of python3-setuptools