From e849d1ae79e1603f48f46da1e381770d7d164d49 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 24 2021 07:31:15 +0000 Subject: import python27-babel-0.9.6-10.el7 --- diff --git a/SOURCES/CVE-2021-20095.patch b/SOURCES/CVE-2021-20095.patch new file mode 100644 index 0000000..b14bbd2 --- /dev/null +++ b/SOURCES/CVE-2021-20095.patch @@ -0,0 +1,64 @@ +diff --git a/babel/localedata.py b/babel/localedata.py +index 9308b5e..688af79 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -18,6 +18,9 @@ + """ + + import os ++import re ++import sys ++ + import pickle + try: + import threading +@@ -31,7 +34,23 @@ __docformat__ = 'restructuredtext en' + _cache = {} + _cache_lock = threading.RLock() + _dirname = os.path.join(os.path.dirname(__file__), 'localedata') ++_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I) ++ ++ ++def resolve_locale_filename(name): ++ """ ++ Resolve a locale identifier to a `.dat` path on disk. ++ """ ++ ++ # Clean up any possible relative paths. ++ name = os.path.basename(name) ++ ++ # Ensure we're not left with one of the Windows reserved names. ++ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]): ++ raise ValueError("Name %s is invalid on Windows" % name) + ++ # Build the path. ++ return os.path.join(_dirname, '%s.dat' % name) + + def exists(name): + """Check whether locale data is available for the given locale. +@@ -42,7 +61,7 @@ def exists(name): + """ + if name in _cache: + return True +- return os.path.exists(os.path.join(_dirname, '%s.dat' % name)) ++ return os.path.exists(resolve_locale_filename(name)) + + + def list(): +@@ -85,6 +104,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +@@ -99,7 +119,7 @@ def load(name, merge_inherited=True): + else: + parent = '_'.join(parts[:-1]) + data = load(parent).copy() +- filename = os.path.join(_dirname, '%s.dat' % name) ++ filename = resolve_locale_filename(name) + fileobj = open(filename, 'rb') + try: + if name != 'root' and merge_inherited: diff --git a/SPECS/babel.spec b/SPECS/babel.spec index 7e7bfb1..a68752e 100644 --- a/SPECS/babel.spec +++ b/SPECS/babel.spec @@ -3,7 +3,7 @@ Name: %{?scl_prefix}babel Version: 0.9.6 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Tools for internationalizing Python applications Group: Development/Languages @@ -12,6 +12,13 @@ URL: http://babel.edgewall.org/ Source0: http://ftp.edgewall.com/pub/babel/Babel-%{version}.tar.gz BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# Fix CVE-2021-20095: relative path traversal allows an attacker to load +# arbitrary locale files on disk and execute arbitrary code +# Resolved upstream: https://github.com/python-babel/babel/pull/782/ +# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615 +Patch0: CVE-2021-20095.patch + BuildArch: noarch BuildRequires: %{?scl_prefix}python-devel @@ -49,16 +56,17 @@ Babel is composed of two major parts: %setup0 -q -n Babel-%{version} chmod a-x babel/messages/frontend.py doc/logo.png doc/logo_small.png %{__sed} -i -e '/^#!/,1d' babel/messages/frontend.py +%patch0 -p1 %build %{?scl:scl enable %{scl} "} -%{__python} setup.py build +%{__python2} setup.py build %{?scl:"} %install rm -rf %{buildroot} %{?scl:scl enable %{scl} "} -%{__python} setup.py install --skip-build --no-compile --root %{buildroot} +%{__python2} setup.py install --skip-build --no-compile --root %{buildroot} %{?scl:"} %clean @@ -72,10 +80,14 @@ rm -rf %{buildroot} %files -n %{?scl_prefix}python-babel %defattr(-,root,root,-) %doc doc -%{python_sitelib}/Babel-%{version}-py*.egg-info -%{python_sitelib}/babel +%{python2_sitelib}/Babel-%{version}-py*.egg-info +%{python2_sitelib}/babel %changelog +* Thu Jul 22 2021 Charalampos Stratakis - 0.9.6-10 +- Security fix for CVE-2021-20095 +Resolves: rhbz#1955615 + * Thu May 24 2018 Charalampos Stratakis - 0.9.6-9 - Rebuild for multi-arch bootstrap