Bug#987890: marked as done (unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#987890: marked as done (unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 15 May 2021 12:51:03 +0000
Message-id: <[🔎] handler.987890.D987890.162108285413963.ackdone@bugs.debian.org>
Reply-to: 987890@bugs.debian.org
References: <E1lhtha-0005zy-Ue@respighi.debian.org> <[🔎] 161988274536.65545.11078705338312704391.reportbug@zbuz.infomaniak.ch>

Your message dated Sat, 15 May 2021 12:47:30 +0000
with message-id <E1lhtha-0005zy-Ue@respighi.debian.org>
and subject line unblock python-babel
has caused the Debian Bug report #987890,
regarding unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
From: Thomas Goirand <zigo@debian.org>
Date: Sat, 01 May 2021 17:25:45 +0200
Message-id: <[🔎] 161988274536.65545.11078705338312704391.reportbug@zbuz.infomaniak.ch>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package python-babel

Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
https://bugs.debian.org/987824

Debdiff attached.

Please unblock python-babel/2.8.0+dfsg.1-7

Cheers,

Thomas Goirand (zigo)

diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog python-babel-2.8.0+dfsg.1/debian/changelog
--- python-babel-2.8.0+dfsg.1/debian/changelog	2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/changelog	2021-05-01 17:13:14.000000000 +0200
@@ -1,3 +1,12 @@
+python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
+
+  * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
+    to load arbitrary locale files on disk and execute arbitrary code. Applied
+    upstream patch: Run locale identifiers through `os.path.basename()`.
+    (Closes: #987824).
+
+ -- Thomas Goirand <zigo@debian.org>  Sat, 01 May 2021 17:13:14 +0200
+
 python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
 
   * Fix doctest deprecation
diff -Nru python-babel-2.8.0+dfsg.1/debian/control python-babel-2.8.0+dfsg.1/debian/control
--- python-babel-2.8.0+dfsg.1/debian/control	2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/control	2021-05-01 17:13:14.000000000 +0200
@@ -5,7 +5,7 @@
 Uploaders:
  Christoph Haas <haas@debian.org>,
  Thomas Goirand <zigo@debian.org>,
- Nilesh Patra <npatra974@gmail.com>
+ Nilesh Patra <nilesh@debian.org>
 Build-Depends:
  debhelper-compat (= 13),
  dh-python,
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
--- python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch	2021-05-01 17:13:14.000000000 +0200
@@ -0,0 +1,76 @@
+Description: CVE-2021-20095: Run locale identifiers through `os.path.basename()`
+Author: Aarni Koskela <akx@iki.fi>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Bug-Debian: https://bugs.debian.org/987824
+Origin: https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
+Last-Update: 2021-05-01
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
++    name = os.path.basename(name)
+     if name in _cache:
+         return True
+     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+     :raise `IOError`: if no locale data file is found for the given locale
+                       identifer, or one of the locales it inherits from
+     """
++    name = os.path.basename(name)
+     _cache_lock.acquire()
+     try:
+         data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+ 
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+ 
+ 
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+     localedata.locale_identifiers.cache = None
+     assert localedata.locale_identifiers()
+     assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++    """
++    Test that locale identifiers are cleaned up to avoid directory traversal.
++    """
++    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
++    with open(no_exist_name, "wb") as f:
++        pickle.dump({}, f)
++
++    try:
++        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
++    except ValueError:
++        if sys.platform == "win32":
++            pytest.skip("unable to form relpath")
++        raise
++
++    assert not localedata.exists(name)
++    with pytest.raises(IOError):
++        localedata.load(name)
++    with pytest.raises(UnknownLocaleError):
++        Locale(name)
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series python-babel-2.8.0+dfsg.1/debian/patches/series
--- python-babel-2.8.0+dfsg.1/debian/patches/series	2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/series	2021-05-01 17:13:14.000000000 +0200
@@ -4,3 +4,4 @@
 0004-Fix-utils-test.patch
 0005-fix-methods-changes-wrt-py3.9.patch
 0006-remove-doctest-deprecation.patch
+CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch

--- End Message ---

--- Begin Message ---

To: 987890-done@bugs.debian.org

Subject: unblock python-babel

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Sat, 15 May 2021 12:47:30 +0000

Message-id: <E1lhtha-0005zy-Ue@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#987658: unblock: openjdk-11-jre-dcevm/11.0.11+9-1
Next by Date: Bug#987731: buster-pu: package openvpn/2.4.7-1
Previous by thread: Bug#987890: Fixed and uploaded
Next by thread: Bug#987894: unblock: fig2dev/1:3.2.8-3
Index(es):
- Date
- Thread