Your message dated Sat, 15 May 2021 12:47:30 +0000
with message-id <[email protected]>
and subject line unblock python-babel
has caused the Debian Bug report #987890,
regarding unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987890: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987890
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package python-babel
Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
https://bugs.debian.org/987824
Debdiff attached.
Please unblock python-babel/2.8.0+dfsg.1-7
Cheers,
Thomas Goirand (zigo)
diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog
python-babel-2.8.0+dfsg.1/debian/changelog
--- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 13:21:26.000000000
+0100
+++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 17:13:14.000000000
+0200
@@ -1,3 +1,12 @@
+python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
+
+ * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
+ to load arbitrary locale files on disk and execute arbitrary code. Applied
+ upstream patch: Run locale identifiers through `os.path.basename()`.
+ (Closes: #987824).
+
+ -- Thomas Goirand <[email protected]> Sat, 01 May 2021 17:13:14 +0200
+
python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
* Fix doctest deprecation
diff -Nru python-babel-2.8.0+dfsg.1/debian/control
python-babel-2.8.0+dfsg.1/debian/control
--- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.000000000
+0100
+++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.000000000
+0200
@@ -5,7 +5,7 @@
Uploaders:
Christoph Haas <[email protected]>,
Thomas Goirand <[email protected]>,
- Nilesh Patra <[email protected]>
+ Nilesh Patra <[email protected]>
Build-Depends:
debhelper-compat (= 13),
dh-python,
diff -Nru
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
---
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
1970-01-01 01:00:00.000000000 +0100
+++
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
2021-05-01 17:13:14.000000000 +0200
@@ -0,0 +1,76 @@
+Description: CVE-2021-20095: Run locale identifiers through
`os.path.basename()`
+Author: Aarni Koskela <[email protected]>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Bug-Debian: https://bugs.debian.org/987824
+Origin:
https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
+Last-Update: 2021-05-01
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+ """
+ if not name or not isinstance(name, string_types):
+ return False
++ name = os.path.basename(name)
+ if name in _cache:
+ return True
+ file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+ :raise `IOError`: if no locale data file is found for the given locale
+ identifer, or one of the locales it inherits from
+ """
++ name = os.path.basename(name)
+ _cache_lock.acquire()
+ try:
+ data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+
+
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+ localedata.locale_identifiers.cache = None
+ assert localedata.locale_identifiers()
+ assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++ """
++ Test that locale identifiers are cleaned up to avoid directory traversal.
++ """
++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" %
random.randint(1, 99999))
++ with open(no_exist_name, "wb") as f:
++ pickle.dump({}, f)
++
++ try:
++ name = os.path.splitext(os.path.relpath(no_exist_name,
localedata._dirname))[0]
++ except ValueError:
++ if sys.platform == "win32":
++ pytest.skip("unable to form relpath")
++ raise
++
++ assert not localedata.exists(name)
++ with pytest.raises(IOError):
++ localedata.load(name)
++ with pytest.raises(UnknownLocaleError):
++ Locale(name)
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series
python-babel-2.8.0+dfsg.1/debian/patches/series
--- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21
13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01
17:13:14.000000000 +0200
@@ -4,3 +4,4 @@
0004-Fix-utils-test.patch
0005-fix-methods-changes-wrt-py3.9.patch
0006-remove-doctest-deprecation.patch
+CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
