diff --git a/babel-basename-for-locale-identifier.patch b/babel-basename-for-locale-identifier.patch new file mode 100644 index 0000000..6988b71 --- /dev/null +++ b/babel-basename-for-locale-identifier.patch @@ -0,0 +1,79 @@ +From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001 +From: Aarni Koskela +Date: Wed, 28 Apr 2021 10:33:40 +0300 +Subject: [PATCH] Run locale identifiers through `os.path.basename()` + +--- + babel/localedata.py | 2 ++ + tests/test_localedata.py | 30 +++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/babel/localedata.py b/babel/localedata.py +index f4771d1f..11085490 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -47,6 +47,7 @@ def exists(name): + """ + if not name or not isinstance(name, string_types): + return False ++ name = os.path.basename(name) + if name in _cache: + return True + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index 83cd6699..9cb4282e 100644 +--- a/tests/test_localedata.py ++++ b/tests/test_localedata.py +@@ -11,11 +11,17 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + +-from babel import localedata ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError + + + class MergeResolveTestCase(unittest.TestCase): +@@ -131,3 +137,25 @@ def listdir_spy(*args): + localedata.locale_identifiers.cache = None + assert localedata.locale_identifiers() + assert len(listdir_calls) == 2 ++ ++ ++def test_locale_name_cleanup(): ++ """ ++ Test that locale identifiers are cleaned up to avoid directory traversal. ++ """ ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) ++ with open(no_exist_name, "wb") as f: ++ pickle.dump({}, f) ++ ++ try: ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++ except ValueError: ++ if sys.platform == "win32": ++ pytest.skip("unable to form relpath") ++ raise ++ ++ assert not localedata.exists(name) ++ with pytest.raises(IOError): ++ localedata.load(name) ++ with pytest.raises(UnknownLocaleError): ++ Locale(name) diff --git a/babel-fix-integers-for-future-flags.patch b/babel-fix-integers-for-future-flags.patch new file mode 100644 index 0000000..df10081 --- /dev/null +++ b/babel-fix-integers-for-future-flags.patch @@ -0,0 +1,68 @@ +From f3651bebd3216cc276f7642c3807cc8d08f2bd23 Mon Sep 17 00:00:00 2001 +From: Felix Schwarz +Date: Tue, 5 May 2020 08:05:56 +0000 +Subject: [PATCH] fix tests when using Python 3.9a6 + +In Python 3.9a6 integer values for future flags were changed to prevent +collision with compiler flags. We need to retrieve these at runtime so +the test suite works with Python <= 3.8 as well as Python 3.9. +--- + tests/test_util.py | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tests/test_util.py b/tests/test_util.py +index a6a4450c..b9343aaa 100644 +--- a/tests/test_util.py ++++ b/tests/test_util.py +@@ -11,6 +11,7 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import __future__ + import unittest + + import pytest +@@ -20,6 +21,12 @@ + from babel.util import parse_future_flags + + ++class _FF: ++ division = __future__.division.compiler_flag ++ print_function = __future__.print_function.compiler_flag ++ with_statement = __future__.with_statement.compiler_flag ++ unicode_literals = __future__.unicode_literals.compiler_flag ++ + def test_distinct(): + assert list(util.distinct([1, 2, 1, 3, 4, 4])) == [1, 2, 3, 4] + assert list(util.distinct('foobar')) == ['f', 'o', 'b', 'a', 'r'] +@@ -70,25 +77,25 @@ def test_parse_encoding_non_ascii(): + from __future__ import print_function, + division, with_statement, + unicode_literals +-''', 0x10000 | 0x2000 | 0x8000 | 0x20000), ++''', _FF.print_function | _FF.division | _FF.with_statement | _FF.unicode_literals), + (''' + from __future__ import print_function, division + print('hello') +-''', 0x10000 | 0x2000), ++''', _FF.print_function | _FF.division), + (''' + from __future__ import print_function, division, unknown,,,,, + print 'hello' +-''', 0x10000 | 0x2000), ++''', _FF.print_function | _FF.division), + (''' + from __future__ import ( + print_function, + division) +-''', 0x10000 | 0x2000), ++''', _FF.print_function | _FF.division), + (''' + from __future__ import \\ + print_function, \\ + division +-''', 0x10000 | 0x2000), ++''', _FF.print_function | _FF.division), + ]) + def test_parse_future(source, result): + fp = BytesIO(source.encode('latin-1')) diff --git a/babel.spec b/babel.spec index 8fad83b..46721dd 100644 --- a/babel.spec +++ b/babel.spec @@ -22,12 +22,14 @@ Name: babel Version: 2.8.0 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Tools for internationalizing Python applications License: BSD URL: http://babel.pocoo.org/ Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz +Patch: babel-fix-integers-for-future-flags.patch +Patch1: babel-basename-for-locale-identifier.patch BuildArch: noarch @@ -121,7 +123,7 @@ Documentation for Babel %endif %prep -%autosetup -n %{srcname}-%{version} +%autosetup -n %{srcname}-%{version} -p1 %build %if %{with python2} @@ -178,6 +180,12 @@ export TZ=America/New_York %endif %changelog +* Fri Apr 30 2021 Felix Schwarz - 2.8.1-2 +- backport fix for CVE-2021-20095 from Babel 2.9.1 + +* Fri Jan 1 2021 Felix Schwarz - 2.8.0-3 +- rebuilt + * Tue Jan 28 2020 Fedora Release Engineering - 2.8.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild