diff --git a/SOURCES/CVE-2020-28493.patch b/SOURCES/CVE-2020-28493.patch new file mode 100644 index 0000000..7011805 --- /dev/null +++ b/SOURCES/CVE-2020-28493.patch @@ -0,0 +1,118 @@ +diff --git a/jinja2/utils.py b/jinja2/utils.py +index 49e9e9a..0e67d88 100644 +--- a/jinja2/utils.py ++++ b/jinja2/utils.py +@@ -11,6 +11,8 @@ + import re + import sys + import errno ++from string import ascii_letters as _letters ++from string import digits as _digits + try: + from thread import allocate_lock + except ImportError: +@@ -19,19 +21,6 @@ from collections import deque + from itertools import imap + + +-_word_split_re = re.compile(r'(\s+)') +-_punctuation_re = re.compile( +- '^(?P(?:%s)*)(?P.*?)(?P(?:%s)*)$' % ( +- '|'.join(imap(re.escape, ('(', '<', '<'))), +- '|'.join(imap(re.escape, ('.', ',', ')', '>', '\n', '>'))) +- ) +-) +-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$') +-_striptags_re = re.compile(r'(|<[^>]*>)') +-_entity_re = re.compile(r'&([^;]+);') +-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' +-_digits = '0123456789' +- + # special singleton representing missing values for the runtime + missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})() + +@@ -271,32 +260,61 @@ def urlize(text, trim_url_limit=None, nofollow=False): + trim_url = lambda x, limit=trim_url_limit: limit is not None \ + and (x[:limit] + (len(x) >=limit and '...' + or '')) or x +- words = _word_split_re.split(unicode(escape(text))) ++ words = re.split(r"(\s+)", unicode(escape(text))) + nofollow_attr = nofollow and ' rel="nofollow"' or '' + for i, word in enumerate(words): +- match = _punctuation_re.match(word) ++ head, middle, tail = "", word, "" ++ match = re.match(r"^([(<]|<)+", middle) ++ + if match: +- lead, middle, trail = match.groups() +- if middle.startswith('www.') or ( +- '@' not in middle and +- not middle.startswith('http://') and +- len(middle) > 0 and +- middle[0] in _letters + _digits and ( +- middle.endswith('.org') or +- middle.endswith('.net') or +- middle.endswith('.com') +- )): +- middle = '%s' % (middle, +- nofollow_attr, trim_url(middle)) +- if middle.startswith('http://') or \ +- middle.startswith('https://'): +- middle = '%s' % (middle, +- nofollow_attr, trim_url(middle)) +- if '@' in middle and not middle.startswith('www.') and \ +- not ':' in middle and _simple_email_re.match(middle): +- middle = '%s' % (middle, middle) +- if lead + middle + trail != word: +- words[i] = lead + middle + trail ++ head = match.group() ++ middle = middle[match.end() :] ++ ++ # Unlike lead, which is anchored to the start of the string, ++ # need to check that the string ends with any of the characters ++ # before trying to match all of them, to avoid backtracking. ++ if middle.endswith((")", ">", ".", ",", "\n", ">")): ++ match = re.search(r"([)>.,\n]|>)+$", middle) ++ ++ if match: ++ tail = match.group() ++ middle = middle[: match.start()] ++ ++ if middle.startswith("www.") or ( ++ "@" not in middle ++ and not middle.startswith("http://") ++ and not middle.startswith("https://") ++ and len(middle) > 0 ++ and middle[0] in _letters + _digits ++ and ( ++ middle.endswith(".org") ++ or middle.endswith(".net") ++ or middle.endswith(".com") ++ ) ++ ): ++ middle = '%s' % ( ++ middle, ++ nofollow_attr, ++ trim_url(middle), ++ ) ++ ++ if middle.startswith("http://") or middle.startswith("https://"): ++ middle = '%s' % ( ++ middle, ++ nofollow_attr, ++ trim_url(middle), ++ ) ++ ++ if ( ++ "@" in middle ++ and not middle.startswith("www.") ++ and ":" not in middle ++ and re.match(r"^\S@\w[\w.-]*\.\w$", middle) ++ ): ++ middle = '%s' % (middle, middle) ++ ++ words[i] = head + middle + tail ++ + return u''.join(words) + + diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index 05db935..06f5975 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -7,7 +7,7 @@ Name: %{?scl_prefix}python-jinja2 Version: 2.6 -Release: 15%{?dist} +Release: 16%{?dist} Summary: General purpose template engine Group: Development/Languages License: BSD @@ -23,9 +23,15 @@ Patch0: %{pkg_name}-fix-CVE-2014-1402.patch # Also bundling the EscapeFormatter class from markupsafe >= 0.21, as we don't ship # that version in RHEL7 and it's required for the CVE fix # https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16 -# https://bugzilla.redhat.com/show_bug.cgi?id=1701310 +# https://bugzilla.redhat.com/show_bug.cgi?id=1701311 Patch1: python-jinja2-fix-CVE-2016-10745.patch +# CVE-2020-28493: ReDOS vulnerability due to the sub-pattern +# The patch is rebased to the old project structure. +# Upstream commit: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3 +# Tracking bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1928707 +Patch2: CVE-2020-28493.patch + BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{?scl_prefix}python-devel @@ -57,6 +63,7 @@ find . -name '*.pyo' -o -name '*.pyc' -delete %patch0 -p0 %patch1 -p1 +%patch2 -p1 # fix EOL sed -i 's|\r$||g' LICENSE @@ -68,7 +75,7 @@ cp -a . %{py3dir} %build %{?scl:scl enable %{scl} "} -%{__python} setup.py build +%{__python2} setup.py build %{?scl:"} # for now, we build docs using Python 2.x and use that for both @@ -82,7 +89,7 @@ make -C docs html %install rm -rf %{buildroot} %{?scl:scl enable %{scl} "} -%{__python} setup.py install -O1 --skip-build \ +%{__python2} setup.py install -O1 --skip-build \ --root %{buildroot} %{?scl:"} @@ -105,13 +112,17 @@ make test %endif # with_docs %doc ext %doc examples -%{python_sitelib}/* -%exclude %{python_sitelib}/jinja2/_debugsupport.c +%{python2_sitelib}/* +%exclude %{python2_sitelib}/jinja2/_debugsupport.c %changelog +* Wed Jul 21 2021 Charalampos Stratakis - 2.6-16 +- Fix CVE-2020-28493: ReDOS vulnerability due to the sub-pattern +Resolves: rhbz#1928707 + * Thu May 02 2019 Charalampos Stratakis - 2.6-15 - Fix for CVE-2016-10745 -Resolves: rhbz#1701310 +Resolves: rhbz#1701311 * Fri May 25 2018 Charalampos Stratakis - 2.6-14 - Rebuild for multi-arch bootstrap