From 7527e0b6a2c6f314cd4a9dd37eea3f76ae52189b Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Mon, 16 Nov 2020 22:53:35 +0100 Subject: [PATCH 1/2] update to 2.8.1 This version only adds compatibility for pytest 6 so this update is mostly to ensure we can do a new build if necessary. --- .gitignore | 1 + babel.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 32fd9c7..e8b38cd 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ Babel-0.9.5.tar.gz /Babel-2.6.0.tar.gz /Babel-2.7.0.tar.gz /Babel-2.8.0.tar.gz +/Babel-2.8.1.tar.gz diff --git a/babel.spec b/babel.spec index a3cb7e2..b96bfb2 100644 --- a/babel.spec +++ b/babel.spec @@ -16,8 +16,8 @@ Name: babel -Version: 2.8.0 -Release: 7%{?dist} +Version: 2.8.1 +Release: 1%{?dist} Summary: Tools for internationalizing Python applications License: BSD @@ -175,6 +175,9 @@ export TZ=America/New_York %endif %changelog +* Mon Nov 16 22:50:40 CET 2020 Felix Schwarz - 2.8.1-1 +- update to 2.8.1 + * Mon Jul 27 2020 Fedora Release Engineering - 2.8.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 20b1c73..1b0fe18 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (Babel-2.8.0.tar.gz) = f9687b36176c146a8ace073197111463d24fca343bb1dbee8b0e37a7f37b68b4cd77ffbe3bf14a20f8f64c701aa860e0b5e6076658a95dbee2556f0688d68d91 +SHA512 (Babel-2.8.1.tar.gz) = ed39ad01b873d40d0bc611739761d412ff442b2df3d4c2363ec24501547da678cb752f640a02470c8513073a76c468c27fc16248820c779ef7adbe14d0f07199 From da55b37a69c2687a4e69067e5cefa8463781ffbe Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Fri, 30 Apr 2021 21:58:15 +0200 Subject: [PATCH 2/2] backport fix for CVE-2021-20095 from Babel 2.9.1 --- babel-basename-for-locale-identifier.patch | 79 ++++++++++++++++++++++ babel.spec | 6 +- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 babel-basename-for-locale-identifier.patch diff --git a/babel-basename-for-locale-identifier.patch b/babel-basename-for-locale-identifier.patch new file mode 100644 index 0000000..6988b71 --- /dev/null +++ b/babel-basename-for-locale-identifier.patch @@ -0,0 +1,79 @@ +From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001 +From: Aarni Koskela +Date: Wed, 28 Apr 2021 10:33:40 +0300 +Subject: [PATCH] Run locale identifiers through `os.path.basename()` + +--- + babel/localedata.py | 2 ++ + tests/test_localedata.py | 30 +++++++++++++++++++++++++++++- + 2 files changed, 31 insertions(+), 1 deletion(-) + +diff --git a/babel/localedata.py b/babel/localedata.py +index f4771d1f..11085490 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -47,6 +47,7 @@ def exists(name): + """ + if not name or not isinstance(name, string_types): + return False ++ name = os.path.basename(name) + if name in _cache: + return True + file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) +@@ -102,6 +103,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index 83cd6699..9cb4282e 100644 +--- a/tests/test_localedata.py ++++ b/tests/test_localedata.py +@@ -11,11 +11,17 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + +-from babel import localedata ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError + + + class MergeResolveTestCase(unittest.TestCase): +@@ -131,3 +137,25 @@ def listdir_spy(*args): + localedata.locale_identifiers.cache = None + assert localedata.locale_identifiers() + assert len(listdir_calls) == 2 ++ ++ ++def test_locale_name_cleanup(): ++ """ ++ Test that locale identifiers are cleaned up to avoid directory traversal. ++ """ ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) ++ with open(no_exist_name, "wb") as f: ++ pickle.dump({}, f) ++ ++ try: ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++ except ValueError: ++ if sys.platform == "win32": ++ pytest.skip("unable to form relpath") ++ raise ++ ++ assert not localedata.exists(name) ++ with pytest.raises(IOError): ++ localedata.load(name) ++ with pytest.raises(UnknownLocaleError): ++ Locale(name) diff --git a/babel.spec b/babel.spec index b96bfb2..f19db54 100644 --- a/babel.spec +++ b/babel.spec @@ -17,7 +17,7 @@ Name: babel Version: 2.8.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Tools for internationalizing Python applications License: BSD @@ -25,6 +25,7 @@ URL: https://babel.pocoo.org/ Source0: %{pypi_source} # https://github.com/python-babel/babel/pull/712 Patch0: babel-python39a6-compat.patch +Patch1: babel-basename-for-locale-identifier.patch BuildArch: noarch @@ -175,6 +176,9 @@ export TZ=America/New_York %endif %changelog +* Fri Apr 30 2021 Felix Schwarz - 2.8.1-2 +- backport fix for CVE-2021-20095 from Babel 2.9.1 + * Mon Nov 16 22:50:40 CET 2020 Felix Schwarz - 2.8.1-1 - update to 2.8.1