Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Hi Thomas, On Sun, May 02, 2021 at 02:08:31PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo confirmed > > On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock package python-babel > > > > Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details: > > https://bugs.debian.org/987824 > > > > Debdiff attached. > > > > Please unblock python-babel/2.8.0+dfsg.1-7 > > Please remove the moreinfo tag once the version is available in > unstable. Did you saw this ack from Sebastian Ramacher? Regards, Salvatore
Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Control: tags -1 moreinfo confirmed On 2021-05-01 17:25:45 +0200, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package python-babel > > Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details: > https://bugs.debian.org/987824 > > Debdiff attached. > > Please unblock python-babel/2.8.0+dfsg.1-7 Please remove the moreinfo tag once the version is available in unstable. Cheers > > Cheers, > > Thomas Goirand (zigo) > diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog > python-babel-2.8.0+dfsg.1/debian/changelog > --- python-babel-2.8.0+dfsg.1/debian/changelog2021-01-21 > 13:21:26.0 +0100 > +++ python-babel-2.8.0+dfsg.1/debian/changelog2021-05-01 > 17:13:14.0 +0200 > @@ -1,3 +1,12 @@ > +python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium > + > + * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker > +to load arbitrary locale files on disk and execute arbitrary code. > Applied > +upstream patch: Run locale identifiers through `os.path.basename()`. > +(Closes: #987824). > + > + -- Thomas Goirand Sat, 01 May 2021 17:13:14 +0200 > + > python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium > >* Fix doctest deprecation > diff -Nru python-babel-2.8.0+dfsg.1/debian/control > python-babel-2.8.0+dfsg.1/debian/control > --- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.0 > +0100 > +++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.0 > +0200 > @@ -5,7 +5,7 @@ > Uploaders: > Christoph Haas , > Thomas Goirand , > - Nilesh Patra > + Nilesh Patra > Build-Depends: > debhelper-compat (= 13), > dh-python, > diff -Nru > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > --- > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > 1970-01-01 01:00:00.0 +0100 > +++ > python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch > 2021-05-01 17:13:14.0 +0200 > @@ -0,0 +1,76 @@ > +Description: CVE-2021-20095: Run locale identifiers through > `os.path.basename()` > +Author: Aarni Koskela > +Date: Wed, 28 Apr 2021 10:33:40 +0300 > +Bug-Debian: https://bugs.debian.org/987824 > +Origin: > https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch > +Last-Update: 2021-05-01 > + > +diff --git a/babel/localedata.py b/babel/localedata.py > +index f4771d1f..11085490 100644 > +--- a/babel/localedata.py > b/babel/localedata.py > +@@ -47,6 +47,7 @@ def exists(name): > + """ > + if not name or not isinstance(name, string_types): > + return False > ++name = os.path.basename(name) > + if name in _cache: > + return True > + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) > +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): > + :raise `IOError`: if no locale data file is found for the given locale > + identifer, or one of the locales it inherits from > + """ > ++name = os.path.basename(name) > + _cache_lock.acquire() > + try: > + data = _cache.get(name) > +diff --git a/tests/test_localedata.py b/tests/test_localedata.py > +index 83cd6699..9cb4282e 100644 > +--- a/tests/test_localedata.py > b/tests/test_localedata.py > +@@ -11,11 +11,17 @@ > + # individuals. For the exact contribution history, see the revision > + # history and logs, available at http://babel.edgewall.org/log/. > + > ++import os > ++import pickle > ++import sys > ++import tempfile > + import unittest > + import random > + from operator import methodcaller > + > +-from babel import localedata > ++import pytest > ++ > ++from babel import localedata, Locale, UnknownLocaleError > + > + > + class MergeResolveTestCase(unittest.TestCase): > +@@ -131,3 +137,25 @@ def listdir_spy(*args): > + localedata.locale_identifiers.cache = None > + assert localedata.locale_identifiers() > + assert len(listdir_calls) == 2 > ++ > ++ > ++def test_locale_name_cleanup(): > ++""" > ++Test that locale identifiers are cleaned up to avoid directory > traversal. > ++""" > ++no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % > random.randint(1, 9)) > ++with open(no_exist_name, "wb") as f: > ++pickle.dump({}, f) > ++ > ++try: > ++name = os.path.splitext(os.path.relpath(no_exist_name, > localedata._dirname))[0] > ++except ValueError: > ++if sys.platform == "win32": > ++pytest.skip("unable to form relpath") > ++raise > ++ > ++assert not localedata.exists(name) > ++with pyt
Bug#987890: unblock: python-babel/2.8.0+dfsg.1-7 CVE-2021-20095
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package python-babel Version 2.8.0+dfsg.1-7 fixes CVE-2021-20095. See details: https://bugs.debian.org/987824 Debdiff attached. Please unblock python-babel/2.8.0+dfsg.1-7 Cheers, Thomas Goirand (zigo) diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog python-babel-2.8.0+dfsg.1/debian/changelog --- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 13:21:26.0 +0100 +++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 17:13:14.0 +0200 @@ -1,3 +1,12 @@ +python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium + + * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker +to load arbitrary locale files on disk and execute arbitrary code. Applied +upstream patch: Run locale identifiers through `os.path.basename()`. +(Closes: #987824). + + -- Thomas Goirand Sat, 01 May 2021 17:13:14 +0200 + python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium * Fix doctest deprecation diff -Nru python-babel-2.8.0+dfsg.1/debian/control python-babel-2.8.0+dfsg.1/debian/control --- python-babel-2.8.0+dfsg.1/debian/control2021-01-21 13:21:26.0 +0100 +++ python-babel-2.8.0+dfsg.1/debian/control2021-05-01 17:13:14.0 +0200 @@ -5,7 +5,7 @@ Uploaders: Christoph Haas , Thomas Goirand , - Nilesh Patra + Nilesh Patra Build-Depends: debhelper-compat (= 13), dh-python, diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch --- python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 1970-01-01 01:00:00.0 +0100 +++ python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 2021-05-01 17:13:14.0 +0200 @@ -0,0 +1,76 @@ +Description: CVE-2021-20095: Run locale identifiers through `os.path.basename()` +Author: Aarni Koskela +Date: Wed, 28 Apr 2021 10:33:40 +0300 +Bug-Debian: https://bugs.debian.org/987824 +Origin: https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch +Last-Update: 2021-05-01 + +diff --git a/babel/localedata.py b/babel/localedata.py +index f4771d1f..11085490 100644 +--- a/babel/localedata.py b/babel/localedata.py +@@ -47,6 +47,7 @@ def exists(name): + """ + if not name or not isinstance(name, string_types): + return False ++name = os.path.basename(name) + if name in _cache: + return True + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index 83cd6699..9cb4282e 100644 +--- a/tests/test_localedata.py b/tests/test_localedata.py +@@ -11,11 +11,17 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + +-from babel import localedata ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError + + + class MergeResolveTestCase(unittest.TestCase): +@@ -131,3 +137,25 @@ def listdir_spy(*args): + localedata.locale_identifiers.cache = None + assert localedata.locale_identifiers() + assert len(listdir_calls) == 2 ++ ++ ++def test_locale_name_cleanup(): ++""" ++Test that locale identifiers are cleaned up to avoid directory traversal. ++""" ++no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 9)) ++with open(no_exist_name, "wb") as f: ++pickle.dump({}, f) ++ ++try: ++name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++except ValueError: ++if sys.platform == "win32": ++pytest.skip("unable to form relpath") ++raise ++ ++assert not localedata.exists(name) ++with pytest.raises(IOError): ++localedata.load(name) ++with pytest.raises(UnknownLocaleError): ++Locale(name) diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series python-babel-2.8.0+dfsg.1/debian/patches/series --- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21 13:21:26.0 +0100 +++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01 17:13:14.0 +0200 @@ -4,3 +4,4 @@ 0004-Fix-utils-test.patch 000