Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Hi Thomas, On Sun, May 02, 2021 at 02:08:31PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo confirmed > > On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock package python-babel > > > > Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details: > > https://bugs.debian.org/987824 > > > > Debdiff attached. > > > > Please unblock python-babel/2.8.0+dfsg.1-7 > > Please remove the moreinfo tag once the version is available in > unstable. Did you saw this ack from Sebastian Ramacher? Regards, Salvatore
Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Control: tags -1 moreinfo confirmed
On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Please unblock package python-babel
>
> Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
> https://bugs.debian.org/987824
>
> Debdiff attached.
>
> Please unblock python-babel/2.8.0+dfsg.1-7
Please remove the moreinfo tag once the version is available in
unstable.
Cheers
>
> Cheers,
>
> Thomas Goirand (zigo)
> diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog
> python-babel-2.8.0+dfsg.1/debian/changelog
> --- python-babel-2.8.0+dfsg.1/debian/changelog2021-01-21
> 13:21:26.0 +0100
> +++ python-babel-2.8.0+dfsg.1/debian/changelog2021-05-01
> 17:13:14.0 +0200
> @@ -1,3 +1,12 @@
> +python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
> +
> + * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
> +to load arbitrary locale files on disk and execute arbitrary code.
> Applied
> +upstream patch: Run locale identifiers through `os.path.basename()`.
> +(Closes: #987824).
> +
> + -- Thomas Goirand Sat, 01 May 2021 17:13:14 +0200
> +
> python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
>
>* Fix doctest deprecation
> diff -Nru python-babel-2.8.0+dfsg.1/debian/control
> python-babel-2.8.0+dfsg.1/debian/control
> --- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.0
> +0100
> +++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.0
> +0200
> @@ -5,7 +5,7 @@
> Uploaders:
> Christoph Haas ,
> Thomas Goirand ,
> - Nilesh Patra
> + Nilesh Patra
> Build-Depends:
> debhelper-compat (= 13),
> dh-python,
> diff -Nru
> python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
>
> python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
> ---
> python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
> 1970-01-01 01:00:00.0 +0100
> +++
> python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
> 2021-05-01 17:13:14.0 +0200
> @@ -0,0 +1,76 @@
> +Description: CVE-2021-20095: Run locale identifiers through
> `os.path.basename()`
> +Author: Aarni Koskela
> +Date: Wed, 28 Apr 2021 10:33:40 +0300
> +Bug-Debian: https://bugs.debian.org/987824
> +Origin:
> https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
> +Last-Update: 2021-05-01
> +
> +diff --git a/babel/localedata.py b/babel/localedata.py
> +index f4771d1f..11085490 100644
> +--- a/babel/localedata.py
> b/babel/localedata.py
> +@@ -47,6 +47,7 @@ def exists(name):
> + """
> + if not name or not isinstance(name, string_types):
> + return False
> ++name = os.path.basename(name)
> + if name in _cache:
> + return True
> + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
> +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
> + :raise `IOError`: if no locale data file is found for the given locale
> + identifer, or one of the locales it inherits from
> + """
> ++name = os.path.basename(name)
> + _cache_lock.acquire()
> + try:
> + data = _cache.get(name)
> +diff --git a/tests/test_localedata.py b/tests/test_localedata.py
> +index 83cd6699..9cb4282e 100644
> +--- a/tests/test_localedata.py
> b/tests/test_localedata.py
> +@@ -11,11 +11,17 @@
> + # individuals. For the exact contribution history, see the revision
> + # history and logs, available at http://babel.edgewall.org/log/.
> +
> ++import os
> ++import pickle
> ++import sys
> ++import tempfile
> + import unittest
> + import random
> + from operator import methodcaller
> +
> +-from babel import localedata
> ++import pytest
> ++
> ++from babel import localedata, Locale, UnknownLocaleError
> +
> +
> + class MergeResolveTestCase(unittest.TestCase):
> +@@ -131,3 +137,25 @@ def listdir_spy(*args):
> + localedata.locale_identifiers.cache = None
> + assert localedata.locale_identifiers()
> + assert len(listdir_calls) == 2
> ++
> ++
> ++def test_locale_name_cleanup():
> ++"""
> ++Test that locale identifiers are cleaned up to avoid directory
> traversal.
> ++"""
> ++no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" %
> random.randint(1, 9))
> ++with open(no_exist_name, "wb") as f:
> ++pickle.dump({}, f)
> ++
> ++try:
> ++name = os.path.splitext(os.path.relpath(no_exist_name,
> localedata._dirname))[0]
> ++except ValueError:
> ++if sys.platform == "win32":
> ++pytest.skip("unable to form relpath")
> ++raise
> ++
> ++assert not localedata.exists(name)
> ++with pyt
Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package python-babel
Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details:
https://bugs.debian.org/987824
Debdiff attached.
Please unblock python-babel/2.8.0+dfsg.1-7
Cheers,
Thomas Goirand (zigo)
diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog
python-babel-2.8.0+dfsg.1/debian/changelog
--- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 13:21:26.0
+0100
+++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 17:13:14.0
+0200
@@ -1,3 +1,12 @@
+python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
+
+ * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
+to load arbitrary locale files on disk and execute arbitrary code. Applied
+upstream patch: Run locale identifiers through `os.path.basename()`.
+(Closes: #987824).
+
+ -- Thomas Goirand Sat, 01 May 2021 17:13:14 +0200
+
python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
* Fix doctest deprecation
diff -Nru python-babel-2.8.0+dfsg.1/debian/control
python-babel-2.8.0+dfsg.1/debian/control
--- python-babel-2.8.0+dfsg.1/debian/control2021-01-21 13:21:26.0
+0100
+++ python-babel-2.8.0+dfsg.1/debian/control2021-05-01 17:13:14.0
+0200
@@ -5,7 +5,7 @@
Uploaders:
Christoph Haas ,
Thomas Goirand ,
- Nilesh Patra
+ Nilesh Patra
Build-Depends:
debhelper-compat (= 13),
dh-python,
diff -Nru
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
---
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
1970-01-01 01:00:00.0 +0100
+++
python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
2021-05-01 17:13:14.0 +0200
@@ -0,0 +1,76 @@
+Description: CVE-2021-20095: Run locale identifiers through
`os.path.basename()`
+Author: Aarni Koskela
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Bug-Debian: https://bugs.debian.org/987824
+Origin:
https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
+Last-Update: 2021-05-01
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+ """
+ if not name or not isinstance(name, string_types):
+ return False
++name = os.path.basename(name)
+ if name in _cache:
+ return True
+ file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+ :raise `IOError`: if no locale data file is found for the given locale
+ identifer, or one of the locales it inherits from
+ """
++name = os.path.basename(name)
+ _cache_lock.acquire()
+ try:
+ data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+
+
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+ localedata.locale_identifiers.cache = None
+ assert localedata.locale_identifiers()
+ assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++"""
++Test that locale identifiers are cleaned up to avoid directory traversal.
++"""
++no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" %
random.randint(1, 9))
++with open(no_exist_name, "wb") as f:
++pickle.dump({}, f)
++
++try:
++name = os.path.splitext(os.path.relpath(no_exist_name,
localedata._dirname))[0]
++except ValueError:
++if sys.platform == "win32":
++pytest.skip("unable to form relpath")
++raise
++
++assert not localedata.exists(name)
++with pytest.raises(IOError):
++localedata.load(name)
++with pytest.raises(UnknownLocaleError):
++Locale(name)
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series
python-babel-2.8.0+dfsg.1/debian/patches/series
--- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21
13:21:26.0 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01
17:13:14.0 +0200
@@ -4,3 +4,4 @@
0004-Fix-utils-test.patch
000
