diff --git a/SOURCES/jinja2-fix-cve-2019-10906.patch b/SOURCES/jinja2-fix-cve-2019-10906.patch new file mode 100644 index 0000000..f95485f --- /dev/null +++ b/SOURCES/jinja2-fix-cve-2019-10906.patch @@ -0,0 +1,64 @@ +From 4ed366f2ac66abced51ce98eff8a0d57f23cdfe2 Mon Sep 17 00:00:00 2001 +From: Tomas Orsava +Date: Tue, 14 May 2019 18:48:39 -0400 +Subject: [PATCH] Fix for CVE-2019-10906 python-jinja2: str.format_map allows + sandbox escape + +More information: https://palletsprojects.com/blog/jinja-2-10-1-released/ +Upstream commit: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 +--- + jinja2/sandbox.py | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py +index 32e2435..8d822cb 100644 +--- a/jinja2/sandbox.py ++++ b/jinja2/sandbox.py +@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping): + def inspect_format_method(callable): + if not isinstance(callable, (types.MethodType, + types.BuiltinMethodType)) or \ +- callable.__name__ != 'format': ++ callable.__name__ not in ('format', 'format_map'): + return None + obj = callable.__self__ + if isinstance(obj, string_types): +@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment): + obj.__class__.__name__ + ), name=attribute, obj=obj, exc=SecurityError) + +- def format_string(self, s, args, kwargs): ++ def format_string(self, s, args, kwargs, format_func=None): + """If a format call is detected, then this is routed through this + method so that our safety sandbox can be used for it. + """ +@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment): + formatter = SandboxedEscapeFormatter(self, s.escape) + else: + formatter = SandboxedFormatter(self) ++ ++ if format_func is not None and format_func.__name__ == 'format_map': ++ if len(args) != 1 or kwargs: ++ raise TypeError( ++ 'format_map() takes exactly one argument %d given' ++ % (len(args) + (kwargs is not None)) ++ ) ++ ++ kwargs = args[0] ++ args = None ++ + kwargs = _MagicFormatMapping(args, kwargs) + rv = formatter.vformat(s, args, kwargs) + return type(s)(rv) +@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment): + """Call an object from sandboxed code.""" + fmt = inspect_format_method(__obj) + if fmt is not None: +- return __self.format_string(fmt, args, kwargs) ++ return __self.format_string(fmt, args, kwargs, __obj) + + # the double prefixes are to avoid double keyword argument + # errors when proxying the call. +-- +2.20.1 + diff --git a/SPECS/python-jinja2.spec b/SPECS/python-jinja2.spec index 6857e52..fc223b6 100644 --- a/SPECS/python-jinja2.spec +++ b/SPECS/python-jinja2.spec @@ -7,12 +7,19 @@ Name: %{?scl_prefix}python-jinja2 Version: 2.9.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: General purpose template engine Group: Development/Languages License: BSD URL: http://jinja.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/J/Jinja2/Jinja2-%{version}.tar.gz + +# Fix for CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape +# Bugzilla: rhbz#1701304 +# More information: https://palletsprojects.com/blog/jinja-2-10-1-released/ +# Upstream commit: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26 +Patch1: jinja2-fix-cve-2019-10906.patch + BuildRoot: %{_tmppath}/%{pkg_name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{?scl_prefix}python-devel @@ -37,6 +44,8 @@ environments. %prep %setup -q -n Jinja2-%{version} +%patch1 -p1 + # cleanup find . -name '*.pyo' -o -name '*.pyc' -delete @@ -86,6 +95,10 @@ rm -rf %{buildroot} %exclude %{python3_sitelib}/jinja2/_debugsupport.c %changelog +* Tue May 14 2019 Tomas Orsava - 2.9.6-3 +- Fix for CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape +Resolves: rhbz#1701304 + * Mon Jun 19 2017 Charalampos Stratakis - 2.9.6-2 - Rebuild with docs