Control: tags -1 moreinfo confirmed
On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package python-babel
>
> Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
> https://bugs.debian.org/987824
>
> Debdiff attached.
>
> Please unblock python-babel/2.8.0+dfsg.1-7
Please remove the moreinfo tag once the version is available in
unstable.
Cheers
>
> Cheers,
>
> Thomas Goirand (zigo)
> diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog python-babel-2.8.0+dfsg.1/debian/changelog
> --- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 13:21:26.000000000 +0100
> +++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 17:13:14.000000000 +0200
> @@ -1,3 +1,12 @@
> +python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
> +
> + * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
> + to load arbitrary locale files on disk and execute arbitrary code. Applied
> + upstream patch: Run locale identifiers through `os.path.basename()`.
> + (Closes: #987824).
> +
> + -- Thomas Goirand <zigo@debian.org> Sat, 01 May 2021 17:13:14 +0200
> +
> python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
>
> * Fix doctest deprecation
> diff -Nru python-babel-2.8.0+dfsg.1/debian/control python-babel-2.8.0+dfsg.1/debian/control
> --- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.000000000 +0100
> +++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.000000000 +0200
> @@ -5,7 +5,7 @@
> Uploaders:
> Christoph Haas <haas@debian.org>,
> Thomas Goirand <zigo@debian.org>,
> - Nilesh Patra <npatra974@gmail.com>
> + Nilesh Patra <nilesh@debian.org>
> Build-Depends:
> debhelper-compat (= 13),
> dh-python,
> diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
> --- python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 1970-01-01 01:00:00.000000000 +0100
> +++ python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 2021-05-01 17:13:14.000000000 +0200
> @@ -0,0 +1,76 @@
> +Description: CVE-2021-20095: Run locale identifiers through `os.path.basename()`
> +Author: Aarni Koskela <akx@iki.fi>
> +Date: Wed, 28 Apr 2021 10:33:40 +0300
> +Bug-Debian: https://bugs.debian.org/987824
> +Origin: https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
> +Last-Update: 2021-05-01
> +
> +diff --git a/babel/localedata.py b/babel/localedata.py
> +index f4771d1f..11085490 100644
> +--- a/babel/localedata.py
> ++++ b/babel/localedata.py
> +@@ -47,6 +47,7 @@ def exists(name):
> + """
> + if not name or not isinstance(name, string_types):
> + return False
> ++ name = os.path.basename(name)
> + if name in _cache:
> + return True
> + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
> +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
> + :raise `IOError`: if no locale data file is found for the given locale
> + identifer, or one of the locales it inherits from
> + """
> ++ name = os.path.basename(name)
> + _cache_lock.acquire()
> + try:
> + data = _cache.get(name)
> +diff --git a/tests/test_localedata.py b/tests/test_localedata.py
> +index 83cd6699..9cb4282e 100644
> +--- a/tests/test_localedata.py
> ++++ b/tests/test_localedata.py
> +@@ -11,11 +11,17 @@
> + # individuals. For the exact contribution history, see the revision
> + # history and logs, available at http://babel.edgewall.org/log/.
> +
> ++import os
> ++import pickle
> ++import sys
> ++import tempfile
> + import unittest
> + import random
> + from operator import methodcaller
> +
> +-from babel import localedata
> ++import pytest
> ++
> ++from babel import localedata, Locale, UnknownLocaleError
> +
> +
> + class MergeResolveTestCase(unittest.TestCase):
> +@@ -131,3 +137,25 @@ def listdir_spy(*args):
> + localedata.locale_identifiers.cache = None
> + assert localedata.locale_identifiers()
> + assert len(listdir_calls) == 2
> ++
> ++
> ++def test_locale_name_cleanup():
> ++ """
> ++ Test that locale identifiers are cleaned up to avoid directory traversal.
> ++ """
> ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
> ++ with open(no_exist_name, "wb") as f:
> ++ pickle.dump({}, f)
> ++
> ++ try:
> ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
> ++ except ValueError:
> ++ if sys.platform == "win32":
> ++ pytest.skip("unable to form relpath")
> ++ raise
> ++
> ++ assert not localedata.exists(name)
> ++ with pytest.raises(IOError):
> ++ localedata.load(name)
> ++ with pytest.raises(UnknownLocaleError):
> ++ Locale(name)
> diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series python-babel-2.8.0+dfsg.1/debian/patches/series
> --- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21 13:21:26.000000000 +0100
> +++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01 17:13:14.000000000 +0200
> @@ -4,3 +4,4 @@
> 0004-Fix-utils-test.patch
> 0005-fix-methods-changes-wrt-py3.9.patch
> 0006-remove-doctest-deprecation.patch
> +CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature