backport fix for CVE-2021-20095 from Babel 2.9.1

This version only adds compatibility for pytest 6 so this update
is mostly to ensure we can do a new build if necessary.

.gitignore

@@ -6,3 +6,4 @@ Babel-0.9.5.tar.gz
 /Babel-2.6.0.tar.gz
 /Babel-2.7.0.tar.gz
 /Babel-2.8.0.tar.gz
+/Babel-2.8.1.tar.gz

babel-basename-for-locale-identifier.patch

@@ -0,0 +1,79 @@
+From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
+From: Aarni Koskela <akx@iki.fi>
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Subject: [PATCH] Run locale identifiers through `os.path.basename()`
+
+---
+ babel/localedata.py      |  2 ++
+ tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+@@ -47,6 +47,7 @@ def exists(name):
+     """
+     if not name or not isinstance(name, string_types):
+         return False
++    name = os.path.basename(name)
+     if name in _cache:
+         return True
+     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
+     :raise `IOError`: if no locale data file is found for the given locale
+                       identifer, or one of the locales it inherits from
+     """
++    name = os.path.basename(name)
+     _cache_lock.acquire()
+     try:
+         data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+@@ -11,11 +11,17 @@
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+ 
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+ 
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+ 
+ 
+ class MergeResolveTestCase(unittest.TestCase):
+@@ -131,3 +137,25 @@ def listdir_spy(*args):
+     localedata.locale_identifiers.cache = None
+     assert localedata.locale_identifiers()
+     assert len(listdir_calls) == 2
++
++
++def test_locale_name_cleanup():
++    """
++    Test that locale identifiers are cleaned up to avoid directory traversal.
++    """
++    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
++    with open(no_exist_name, "wb") as f:
++        pickle.dump({}, f)
++
++    try:
++        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
++    except ValueError:
++        if sys.platform == "win32":
++            pytest.skip("unable to form relpath")
++        raise
++
++    assert not localedata.exists(name)
++    with pytest.raises(IOError):
++        localedata.load(name)
++    with pytest.raises(UnknownLocaleError):
++        Locale(name)

babel.spec

@@ -16,8 +16,8 @@
 
 
 Name:           babel
-Version:        2.8.0
-Release:        7%{?dist}
+Version:        2.8.1
+Release:        2%{?dist}
 Summary:        Tools for internationalizing Python applications
 
 License:        BSD
@@ -25,6 +25,7 @@ URL:            https://babel.pocoo.org/
 Source0:        %{pypi_source}
 # https://github.com/python-babel/babel/pull/712
 Patch0:         babel-python39a6-compat.patch
+Patch1:         babel-basename-for-locale-identifier.patch
 
 BuildArch:      noarch
 
@@ -175,6 +176,12 @@ export TZ=America/New_York
 %endif
 
 %changelog
+* Fri Apr 30 2021 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.1-2
+- backport fix for CVE-2021-20095 from Babel 2.9.1
+
+* Mon Nov 16 22:50:40 CET 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.1-1
+- update to 2.8.1
+
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (Babel-2.8.0.tar.gz) = f9687b36176c146a8ace073197111463d24fca343bb1dbee8b0e37a7f37b68b4cd77ffbe3bf14a20f8f64c701aa860e0b5e6076658a95dbee2556f0688d68d91
+SHA512 (Babel-2.8.1.tar.gz) = ed39ad01b873d40d0bc611739761d412ff442b2df3d4c2363ec24501547da678cb752f640a02470c8513073a76c468c27fc16248820c779ef7adbe14d0f07199