backport fix for CVE-2021-20095 from Babel 2.9.1

bump spec so we can rebuilt babel
fix build on F32
2021-04-30 22:31:43 +02:00 · 2021-01-01 22:24:29 +01:00 · 2021-01-01 22:21:13 +01:00
3 changed files with 157 additions and 2 deletions
--- a/babel-basename-for-locale-identifier.patch
+++ b/babel-basename-for-locale-identifier.patch
@ -0,0 +1,79 @@
+From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
+From: Aarni Koskela <akx@iki.fi>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Subject: [PATCH] Run locale identifiers through `os.path.basename()`
+
+---
+ babel/localedata.py      |  2 ++
+ tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
+++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
+    name = os.path.basename(name)
+     if name in _cache:
+         return True
+     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+     :raise `IOError`: if no locale data file is found for the given locale
+                       identifer, or one of the locales it inherits from
+     """
+    name = os.path.basename(name)
+     _cache_lock.acquire()
+     try:
+         data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
+++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
+import os
+import pickle
+import sys
+import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+ 
+-from babel import localedata
+import pytest
+
+from babel import localedata, Locale, UnknownLocaleError
+ 
+ 
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+     localedata.locale_identifiers.cache = None
+     assert localedata.locale_identifiers()
+     assert len(listdir_calls) == 2
+
+
+def test_locale_name_cleanup():
+    """
+    Test that locale identifiers are cleaned up to avoid directory traversal.
+    """
+    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
+    with open(no_exist_name, "wb") as f:
+        pickle.dump({}, f)
+
+    try:
+        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
+    except ValueError:
+        if sys.platform == "win32":
+            pytest.skip("unable to form relpath")
+        raise
+
+    assert not localedata.exists(name)
+    with pytest.raises(IOError):
+        localedata.load(name)
+    with pytest.raises(UnknownLocaleError):
+        Locale(name)
--- a/babel-fix-integers-for-future-flags.patch
+++ b/babel-fix-integers-for-future-flags.patch
@ -0,0 +1,68 @@
+From f3651bebd3216cc276f7642c3807cc8d08f2bd23 Mon Sep 17 00:00:00 2001
+From: Felix Schwarz <felix.schwarz@oss.schwarz.eu>
+Date: Tue, 5 May 2020 08:05:56 +0000
+Subject: [PATCH] fix tests when using Python 3.9a6
+
+In Python 3.9a6 integer values for future flags were changed to prevent
+collision with compiler flags. We need to retrieve these at runtime so
+the test suite works with Python <= 3.8 as well as Python 3.9.
+---
+ tests/test_util.py | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test_util.py b/tests/test_util.py
+index a6a4450c..b9343aaa 100644
+--- a/tests/test_util.py
+++ b/tests/test_util.py
+@@ -11,6 +11,7 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
+import __future__
+ import unittest
+ 
+ import pytest
+@@ -20,6 +21,12 @@
+ from babel.util import parse_future_flags
+ 
+ 
+class _FF:
+    division         = __future__.division.compiler_flag
+    print_function   = __future__.print_function.compiler_flag
+    with_statement   = __future__.with_statement.compiler_flag
+    unicode_literals = __future__.unicode_literals.compiler_flag
+
+ def test_distinct():
+     assert list(util.distinct([1, 2, 1, 3, 4, 4])) == [1, 2, 3, 4]
+     assert list(util.distinct('foobar')) == ['f', 'o', 'b', 'a', 'r']
+@@ -70,25 +77,25 @@ def test_parse_encoding_non_ascii():
+ from __future__ import print_function,
+     division, with_statement,
+     unicode_literals
+-''', 0x10000 | 0x2000 | 0x8000 | 0x20000),
+''', _FF.print_function | _FF.division | _FF.with_statement | _FF.unicode_literals),
+     ('''
+ from __future__ import print_function, division
+ print('hello')
+-''', 0x10000 | 0x2000),
+''', _FF.print_function | _FF.division),
+     ('''
+ from __future__ import print_function, division, unknown,,,,,
+ print 'hello'
+-''', 0x10000 | 0x2000),
+''', _FF.print_function | _FF.division),
+     ('''
+ from __future__ import (
+     print_function,
+     division)
+-''', 0x10000 | 0x2000),
+''', _FF.print_function | _FF.division),
+     ('''
+ from __future__ import \\
+     print_function, \\
+     division
+-''', 0x10000 | 0x2000),
+''', _FF.print_function | _FF.division),
+ ])
+ def test_parse_future(source, result):
+     fp = BytesIO(source.encode('latin-1'))
--- a/babel.spec
+++ b/babel.spec
@ -22,12 +22,14 @@

 Name:           babel
 Version:        2.8.0
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        Tools for internationalizing Python applications

 License:        BSD
 URL:            http://babel.pocoo.org/
 Source0:        https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz
+Patch:          babel-fix-integers-for-future-flags.patch
+Patch1:         babel-basename-for-locale-identifier.patch

 BuildArch:      noarch

@ -121,7 +123,7 @@ Documentation for Babel
 %endif

 %prep
-%autosetup -n %{srcname}-%{version}
+%autosetup -n %{srcname}-%{version} -p1

 %build
 %if %{with python2}
@ -178,6 +180,12 @@ export TZ=America/New_York
 %endif

 %changelog
+* Fri Apr 30 2021 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.1-2
+- backport fix for CVE-2021-20095 from Babel 2.9.1
+
+* Fri Jan  1 2021 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.0-3
+- rebuilt
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Author	SHA1	Message	Date
Felix Schwarz	070264fe2a	backport fix for CVE-2021-20095 from Babel 2.9.1	2021-04-30 22:31:43 +02:00
Felix Schwarz	bd19f14ce7	bump spec so we can rebuilt babel	2021-01-01 22:24:29 +01:00
Felix Schwarz	78b9e7fe7f	fix build on F32 Fedora 32 uses Python 3.8 but sometime between the last babel build for F32 and 12/2020 the integer values for future flags were changed. The patch is already upstream but only present in babel 2.9.0+	2021-01-01 22:21:13 +01:00