unstable.
Post by Thomas GoirandCheers,
Thomas Goirand (zigo)
diff -Nru python-babel-2.8.0+dfsg.1/debian/changelog python-babel-2.8.0+dfsg.1/debian/changelog
--- python-babel-2.8.0+dfsg.1/debian/changelog 2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/changelog 2021-05-01 17:13:14.000000000 +0200
@@ -1,3 +1,12 @@
+python-babel (2.8.0+dfsg.1-7) unstable; urgency=medium
+
+ * CVE-2021-20095: Relative Path Traversal in Babel 2.9.0 allows an attacker
+ to load arbitrary locale files on disk and execute arbitrary code. Applied
+ upstream patch: Run locale identifiers through `os.path.basename()`.
+ (Closes: #987824).
+
+
python-babel (2.8.0+dfsg.1-6) unstable; urgency=medium
* Fix doctest deprecation
diff -Nru python-babel-2.8.0+dfsg.1/debian/control python-babel-2.8.0+dfsg.1/debian/control
--- python-babel-2.8.0+dfsg.1/debian/control 2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/control 2021-05-01 17:13:14.000000000 +0200
@@ -5,7 +5,7 @@
debhelper-compat (= 13),
dh-python,
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch
--- python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch 2021-05-01 17:13:14.000000000 +0200
@@ -0,0 +1,76 @@
+Description: CVE-2021-20095: Run locale identifiers through `os.path.basename()`
+Date: Wed, 28 Apr 2021 10:33:40 +0300
+Bug-Debian: https://bugs.debian.org/987824
+Origin: https://github.com/python-babel/babel/commit/3a700b5b8b53606fd98ef8294a56f9510f7290f8.patch
+Last-Update: 2021-05-01
+
+diff --git a/babel/localedata.py b/babel/localedata.py
+index f4771d1f..11085490 100644
+--- a/babel/localedata.py
++++ b/babel/localedata.py
+ """
+ return False
++ name = os.path.basename(name)
+ return True
+ file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+ :raise `IOError`: if no locale data file is found for the given locale
+ identifer, or one of the locales it inherits from
+ """
++ name = os.path.basename(name)
+ _cache_lock.acquire()
+ data = _cache.get(name)
+diff --git a/tests/test_localedata.py b/tests/test_localedata.py
+index 83cd6699..9cb4282e 100644
+--- a/tests/test_localedata.py
++++ b/tests/test_localedata.py
+ # individuals. For the exact contribution history, see the revision
+ # history and logs, available at http://babel.edgewall.org/log/.
+
++import os
++import pickle
++import sys
++import tempfile
+ import unittest
+ import random
+ from operator import methodcaller
+
+-from babel import localedata
++import pytest
++
++from babel import localedata, Locale, UnknownLocaleError
+
+
+ localedata.locale_identifiers.cache = None
+ assert localedata.locale_identifiers()
+ assert len(listdir_calls) == 2
++
++
++ """
++ Test that locale identifiers are cleaned up to avoid directory traversal.
++ """
++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
++ pickle.dump({}, f)
++
++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
++ pytest.skip("unable to form relpath")
++ raise
++
++ assert not localedata.exists(name)
++ localedata.load(name)
++ Locale(name)
diff -Nru python-babel-2.8.0+dfsg.1/debian/patches/series python-babel-2.8.0+dfsg.1/debian/patches/series
--- python-babel-2.8.0+dfsg.1/debian/patches/series 2021-01-21 13:21:26.000000000 +0100
+++ python-babel-2.8.0+dfsg.1/debian/patches/series 2021-05-01 17:13:14.000000000 +0200
@@ -4,3 +4,4 @@
0004-Fix-utils-test.patch
0005-fix-methods-changes-wrt-py3.9.patch
0006-remove-doctest-deprecation.patch
+CVE-2021-20095_Run_locale_identifiers_through_os.path.basename.patch