commit f9def4c8d64305630746c976417519a298de102e Author: Adam Samalik Date: Fri May 5 22:32:16 2023 +0200 import sources diff --git a/.babel.metadata b/.babel.metadata new file mode 100644 index 0000000..39f63c7 --- /dev/null +++ b/.babel.metadata @@ -0,0 +1 @@ +5605f75353368d32500afb30e60fc8f0edbca506 Babel-2.7.0.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e39bb3 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/Babel-2.7.0.tar.gz diff --git a/CVE-2021-20095.patch b/CVE-2021-20095.patch new file mode 100644 index 0000000..f26a334 --- /dev/null +++ b/CVE-2021-20095.patch @@ -0,0 +1,128 @@ +diff --git a/babel/localedata.py b/babel/localedata.py +index e012abb..dea0a0f 100644 +--- a/babel/localedata.py ++++ b/babel/localedata.py +@@ -13,6 +13,8 @@ + """ + + import os ++import re ++import sys + import threading + from itertools import chain + +@@ -22,6 +24,7 @@ from babel._compat import pickle, string_types, abc + _cache = {} + _cache_lock = threading.RLock() + _dirname = os.path.join(os.path.dirname(__file__), 'locale-data') ++_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I) + + + def normalize_locale(name): +@@ -38,6 +41,22 @@ def normalize_locale(name): + return locale_id + + ++def resolve_locale_filename(name): ++ """ ++ Resolve a locale identifier to a `.dat` path on disk. ++ """ ++ ++ # Clean up any possible relative paths. ++ name = os.path.basename(name) ++ ++ # Ensure we're not left with one of the Windows reserved names. ++ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]): ++ raise ValueError("Name %s is invalid on Windows" % name) ++ ++ # Build the path. ++ return os.path.join(_dirname, '%s.dat' % name) ++ ++ + def exists(name): + """Check whether locale data is available for the given locale. + +@@ -49,7 +68,7 @@ def exists(name): + return False + if name in _cache: + return True +- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name)) ++ file_found = os.path.exists(resolve_locale_filename(name)) + return True if file_found else bool(normalize_locale(name)) + + +@@ -102,6 +121,7 @@ def load(name, merge_inherited=True): + :raise `IOError`: if no locale data file is found for the given locale + identifer, or one of the locales it inherits from + """ ++ name = os.path.basename(name) + _cache_lock.acquire() + try: + data = _cache.get(name) +@@ -119,7 +139,7 @@ def load(name, merge_inherited=True): + else: + parent = '_'.join(parts[:-1]) + data = load(parent).copy() +- filename = os.path.join(_dirname, '%s.dat' % name) ++ filename = resolve_locale_filename(name) + with open(filename, 'rb') as fileobj: + if name != 'root' and merge_inherited: + merge(data, pickle.load(fileobj)) +diff --git a/tests/test_localedata.py b/tests/test_localedata.py +index dbacba0..4730096 100644 +--- a/tests/test_localedata.py ++++ b/tests/test_localedata.py +@@ -11,11 +11,17 @@ + # individuals. For the exact contribution history, see the revision + # history and logs, available at http://babel.edgewall.org/log/. + ++import os ++import pickle ++import sys ++import tempfile + import unittest + import random + from operator import methodcaller + +-from babel import localedata ++import pytest ++ ++from babel import localedata, Locale, UnknownLocaleError + + + class MergeResolveTestCase(unittest.TestCase): +@@ -131,3 +137,34 @@ def test_locale_identifiers_cache(monkeypatch): + localedata.locale_identifiers.cache = None + assert localedata.locale_identifiers() + assert len(listdir_calls) == 2 ++ ++ ++def test_locale_name_cleanup(): ++ """ ++ Test that locale identifiers are cleaned up to avoid directory traversal. ++ """ ++ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999)) ++ with open(no_exist_name, "wb") as f: ++ pickle.dump({}, f) ++ ++ try: ++ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0] ++ except ValueError: ++ if sys.platform == "win32": ++ pytest.skip("unable to form relpath") ++ raise ++ ++ assert not localedata.exists(name) ++ with pytest.raises(IOError): ++ localedata.load(name) ++ with pytest.raises(UnknownLocaleError): ++ Locale(name) ++ ++ ++@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test") ++def test_reserved_locale_names(): ++ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"): ++ with pytest.raises(ValueError): ++ localedata.load(name) ++ with pytest.raises(ValueError): ++ Locale(name) diff --git a/babel.spec b/babel.spec new file mode 100644 index 0000000..35432d2 --- /dev/null +++ b/babel.spec @@ -0,0 +1,437 @@ +%global srcname Babel +%global sum Library for internationalizing Python applications + +# There is some bootstrapping involved when upgrading Python 3 +# First of all we need babel (this package) to use sphinx +# And pytest is at this point not yet ready +%bcond_without bootstrap + +%bcond_with python2 + +Name: babel +Version: 2.7.0 +Release: 11%{?dist} +Summary: Tools for internationalizing Python applications + +License: BSD +URL: http://babel.pocoo.org/ +Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz + +# Fix CVE-2021-20095: relative path traversal allows an attacker to load +# arbitrary locale files on disk and execute arbitrary code +# Resolved upstream: https://github.com/python-babel/babel/pull/782/ +# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615 +Patch1: CVE-2021-20095.patch + +BuildArch: noarch +# Exclude i686 arch. Due to a modularity issue it's being added to the +# x86_64 compose of CRB, but we don't want to ship it at all. +# See: https://projects.engineering.redhat.com/browse/RCM-72605 +ExcludeArch: i686 + +%if %{with python2} +BuildRequires: python2-devel +BuildRequires: python2-setuptools +%if %{with python2_pytest} +BuildRequires: python2-pytz +BuildRequires: python2-pytest +BuildRequires: python2-freezegun +%endif +%endif +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-rpm-macros +%if !%{with bootstrap} +BuildRequires: python%{python3_pkgversion}-pytz +BuildRequires: python%{python3_pkgversion}-pytest +BuildRequires: python%{python3_pkgversion}-freezegun +%endif + +# build the documentation +BuildRequires: make + +%if !%{with bootstrap} +BuildRequires: python%{python3_pkgversion}-sphinx +%endif + + +%description +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. + + +%if %{with python2} +%package -n python2-babel +Summary: %sum + +Requires: python2-setuptools +Requires: python2-pytz + +%{?python_provide:%python_provide python2-babel} + +%description -n python2-babel +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. +%endif + + +%package -n python%{python3_pkgversion}-babel +Summary: %sum + +Requires: python%{python3_pkgversion}-setuptools +Requires: python%{python3_pkgversion}-pytz + +%{?python_provide:%python_provide python%{python3_pkgversion}-babel} + +%description -n python%{python3_pkgversion}-babel +Babel is composed of two major parts: + +* tools to build and work with gettext message catalogs + +* a Python interface to the CLDR (Common Locale Data Repository), + providing access to various locale display names, localized number + and date formatting, etc. + +%if !%{with bootstrap} +%package doc +Summary: Documentation for Babel +Provides: python-babel-doc = %{version}-%{release} +Provides: python2-babel-doc = %{version}-%{release} +Provides: python3-babel-doc = %{version}-%{release} + +%description doc +Documentation for Babel +%endif + +%prep +%autosetup -n %{srcname}-%{version} -p1 + +%build +%if %{with python2} +%py2_build +%endif +%py3_build + +BUILDDIR="$PWD/built-docs" +rm -rf "$BUILDDIR" + +%if !%{with bootstrap} +pushd docs +make \ + SPHINXBUILD=sphinx-build-3 \ + BUILDDIR="$BUILDDIR" \ + html +popd +rm -f "$BUILDDIR/html/.buildinfo" +%endif + +%install +%if %{with python2} +%py2_install +%endif +%py3_install + +mv %{buildroot}%{_bindir}/pybabel %{buildroot}%{_bindir}/pybabel-%{python3_version} + +%check +export TZ=America/New_York +%if %{with python2} && %{with python2_pytest} +%{__python2} -m pytest +%endif +%if !%{with bootstrap} +%{__python3} -m pytest +%endif + +%if %{with python2} +%files -n python2-babel +%doc CHANGES AUTHORS +%license LICENSE +%{python2_sitelib}/Babel-%{version}-py*.egg-info +%{python2_sitelib}/babel +%endif + +%files -n python%{python3_pkgversion}-babel +%doc CHANGES AUTHORS +%license LICENSE +%{python3_sitelib}/Babel-%{version}-py*.egg-info +%{python3_sitelib}/babel +%{_bindir}/pybabel-%{python3_version} + +%if !%{with bootstrap} +%files doc +%doc built-docs/html/* +%endif + +%changelog +* Wed May 12 2021 Charalampos Stratakis - 2.7.0-11 +- Fix CVE-2021-20095 +Resolves: rhbz#1955615 + +* Fri Dec 13 2019 Tomas Orsava - 2.7.0-10 +- Exclude unsupported i686 arch + +* Tue Dec 03 2019 Tomas Orsava - 2.7.0-9 +- Rename the pybabel executable to pybabel-3.8 and move it to the + python38-babel package + +* Wed Nov 20 2019 Lumír Balhar - 2.7.0-8 +- Adjusted for Python 3.8 module in RHEL 8 + +* Thu Oct 31 2019 Nils Philippsen - 2.7.0-7 +- drop python2-babel only from F33 on as it is needed for trac (for the time + being, #1737930) + +* Thu Oct 31 2019 Nils Philippsen - 2.7.0-6 +- drop python2-babel from F32 on + +* Fri Sep 13 2019 Miro Hrončok - 2.7.0-5 +- Reduce Python 2 build dependencies on Fedora 32 + +* Fri Aug 16 2019 Miro Hrončok - 2.7.0-4 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Miro Hrončok - 2.7.0-3 +- Bootstrap for Python 3.8 + +* Wed Jul 24 2019 Fedora Release Engineering - 2.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon May 27 2019 Felix Schwarz - 2.7.0-1 +- update to upstream version 2.7.0 + +* Thu Jan 31 2019 Fedora Release Engineering - 2.6.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 2.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Miro Hrončok - 2.6.0-4 +- Rebuilt for Python 3.7 + +* Mon Jul 02 2018 Miro Hrončok - 2.6.0-3 +- Rebuilt for Python 3.7 + +* Fri Jun 29 2018 Felix Schwarz - 2.6.0-2 +- add setting to build without Python 2 support + +* Fri Jun 29 2018 Felix Schwarz - 2.6.0-1 +- update to upstream version 2.6.0 + +* Mon Jun 18 2018 Tomas Orsava - 2.5.1-5 +- Run tests in pytest (as declared in BuildRequires) + +* Sat Jun 16 2018 Miro Hrončok - 2.5.1-4 +- Rebuilt for Python 3.7 + +* Thu Jun 14 2018 Miro Hrončok - 2.5.1-3 +- Bootstrap for Python 3.7 + +* Wed Feb 07 2018 Fedora Release Engineering - 2.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Dec 15 2017 Felix Schwarz - 2.5.1-1 +- update to upstream version 2.5.1 + +* Fri Dec 15 2017 Iryna Shcherbina - 2.3.4-7 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Wed Jul 26 2017 Fedora Release Engineering - 2.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Dec 13 2016 Miro Hrončok - 2.3.4-4 +- Finish bootstrapping for Python 3.6 + +* Tue Dec 13 2016 Miro Hrončok - 2.3.4-3 +- Rebuild for Python 3.6 +- Add "bootstrap" conditions + +* Tue Jul 19 2016 Fedora Release Engineering - 2.3.4-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue May 31 2016 Nils Philippsen +- fix source URL + +* Mon Apr 25 2016 Nils Philippsen - 2.3.4-1 +- version 2.3.4 +- always build Python3 subpackages +- remove obsolete packaging constructs +- update to current Python packaging guidelines +- build docs non-destructively +- tag license file as %%license +- use %%python_provide macro only if present +- update remove-pytz-version patch +- fix build dependencies +- set TZ in %%check + +* Wed Feb 03 2016 Fedora Release Engineering - 1.3-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Nov 10 2015 Fedora Release Engineering - 1.3-11 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Fri Nov 6 2015 Toshio Kuratomi - 1.3-10 +- Also make sure that the babel package that has pybabel depends on the correct + packages (python2 packages on F23 or less and python3 packages on F24 and + greater.) + +* Wed Nov 4 2015 Toshio Kuratomi - 1.3-9 +- Install the python3 version of pybabel on Fedora 24+ to match with Fedora's + default python version + +* Wed Jun 17 2015 Fedora Release Engineering - 1.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Dec 17 2014 Toshio Kuratomi - 1.3-7 +- Remove pytz version requirement in egginfo as it confuses newer setuptools + +* Mon Jun 30 2014 Toshio Kuratomi - 1.3-6 +- Change python-setuptools-devel BR into python-setuptools + +* Sat Jun 07 2014 Fedora Release Engineering - 1.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kalev Lember - 1.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Wed Apr 02 2014 Nils Philippsen - 1.3-3 +- fix dependencies (#1083470) + +* Sun Oct 06 2013 Felix Schwarz - 1.3-2 +- enable python3 subpackage + +* Wed Oct 02 2013 Felix Schwarz - 1.3-1 +- update to Babel 1.3 +- disabled %%check as it tries to download the CLDR + +* Sat Aug 03 2013 Fedora Release Engineering - 0.9.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jun 26 2013 Jeffrey C. Ollie - 0.9.6-8 +- split documentation off to a separate subpackage + +* Wed Feb 13 2013 Fedora Release Engineering - 0.9.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Oct 18 2012 Nils Philippsen - 0.9.6-6 +- run tests in %%check +- add pytz build requirement for tests + +* Sat Aug 04 2012 David Malcolm - 0.9.6-5 +- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 + +* Wed Aug 01 2012 Felix Schwarz - 0.9.6-4 +- disable building of non-functional python3 subpackage (#761583) + +* Wed Jul 18 2012 Fedora Release Engineering - 0.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 0.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jun 07 2011 Nils Philippsen - 0.9.6-1 +- version 0.9.6: + * Backport r493-494: documentation typo fixes. + * Make the CLDR import script work with Python 2.7. + * Fix various typos. + * Fixed Python 2.3 compatibility (ticket #146, #233). + * Sort output of list-locales. + * Make the POT-Creation-Date of the catalog being updated equal to + POT-Creation-Date of the template used to update (ticket #148). + * Use a more explicit error message if no option or argument (command) is + passed to pybabel (ticket #81). + * Keep the PO-Revision-Date if it is not the default value (ticket #148). + * Make --no-wrap work by reworking --width's default and mimic xgettext's + behaviour of always wrapping comments (ticket #145). + * Fixed negative offset handling of Catalog._set_mime_headers (ticket #165). + * Add --project and --version options for commandline (ticket #173). + * Add a __ne__() method to the Local class. + * Explicitly sort instead of using sorted() and don't assume ordering + (Python 2.3 and Jython compatibility). + * Removed ValueError raising for string formatting message checkers if the + string does not contain any string formattings (ticket #150). + * Fix Serbian plural forms (ticket #213). + * Small speed improvement in format_date() (ticket #216). + * Fix number formatting for locales where CLDR specifies alt or draft + items (ticket #217) + * Fix bad check in format_time (ticket #257, reported with patch and tests by + jomae) + * Fix so frontend.CommandLineInterface.run does not accumulate logging + handlers (#227, reported with initial patch by dfraser) + * Fix exception if environment contains an invalid locale setting (#200) +- install python2 rather than python3 executable (#710880) + +* Mon Feb 07 2011 Fedora Release Engineering - 0.9.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Aug 26 2010 Jeffrey C. Ollie - 0.9.5-3 +- Add python3 subpackage + +* Wed Jul 21 2010 David Malcolm - 0.9.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed Apr 7 2010 Jeffrey C. Ollie - 0.9.5-1 +- This release contains a small number of bugfixes over the 0.9.4 +- release. +- +- What's New: +- ----------- +- * Fixed the case where messages containing square brackets would break +- with an unpack error +- * Fuzzy matching regarding plurals should *NOT* be checked against +- len(message.id) because this is always 2, instead, it's should be +- checked against catalog.num_plurals (ticket #212). + +* Fri Jul 24 2009 Fedora Release Engineering - 0.9.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Mar 28 2009 Robert Scheck - 0.9.4-4 +- Added missing requires to python-setuptools for pkg_resources + +* Mon Feb 23 2009 Fedora Release Engineering - 0.9.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 0.9.4-2 +- Rebuild for Python 2.6 + +* Mon Aug 25 2008 Jeffrey C. Ollie - 0.9.4-1 +- Update to 0.9.4 + +* Thu Jul 10 2008 Jeffrey C. Ollie - 0.9.3-1 +- Update to 0.9.3 + +* Sun Dec 16 2007 Jeffrey C. Ollie - 0.9.1-1 +- Update to 0.9.1 + +* Tue Aug 28 2007 Jeffrey C. Ollie - 0.9-2 +- BR python-setuptools-devel + +* Mon Aug 27 2007 Jeffrey C. Ollie - 0.9-1 +- Update to 0.9 + +* Mon Jul 2 2007 Jeffrey C. Ollie - 0.8.1-1 +- Update to 0.8.1 +- Remove upstreamed patch. + +* Fri Jun 29 2007 Jeffrey C. Ollie - 0.8-3 +- Replace patch with one that actually applies. + +* Fri Jun 29 2007 Jeffrey C. Ollie - 0.8-2 +- Apply upstream patch to rename command line script to "pybabel" - BZ#246208 + +* Thu Jun 21 2007 Jeffrey C. Ollie - 0.8-1 +- First version for Fedora + diff --git a/sources b/sources new file mode 100644 index 0000000..e4bbad5 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (Babel-2.7.0.tar.gz) = 96314c7b26f6915a825e0344fa06e4f1d9a71b97a52b16f2f696c2e81c69318974547620135912b11edb95668a717ec49f1be68eef5a4753092d8e4cdc39a1e5