Compare commits
No commits in common. "c9-beta" and "c8-stream-3.8" have entirely different histories.
c9-beta
...
c8-stream-
@ -1 +1 @@
|
|||||||
1ce15f82eba5184cabe6ac1491cb58262e27adfd SOURCES/Babel-2.9.1.tar.gz
|
5605f75353368d32500afb30e60fc8f0edbca506 SOURCES/Babel-2.7.0.tar.gz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/Babel-2.9.1.tar.gz
|
SOURCES/Babel-2.7.0.tar.gz
|
||||||
|
128
SOURCES/CVE-2021-20095.patch
Normal file
128
SOURCES/CVE-2021-20095.patch
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
diff --git a/babel/localedata.py b/babel/localedata.py
|
||||||
|
index e012abb..dea0a0f 100644
|
||||||
|
--- a/babel/localedata.py
|
||||||
|
+++ b/babel/localedata.py
|
||||||
|
@@ -13,6 +13,8 @@
|
||||||
|
"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
+import re
|
||||||
|
+import sys
|
||||||
|
import threading
|
||||||
|
from itertools import chain
|
||||||
|
|
||||||
|
@@ -22,6 +24,7 @@ from babel._compat import pickle, string_types, abc
|
||||||
|
_cache = {}
|
||||||
|
_cache_lock = threading.RLock()
|
||||||
|
_dirname = os.path.join(os.path.dirname(__file__), 'locale-data')
|
||||||
|
+_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
|
||||||
|
|
||||||
|
|
||||||
|
def normalize_locale(name):
|
||||||
|
@@ -38,6 +41,22 @@ def normalize_locale(name):
|
||||||
|
return locale_id
|
||||||
|
|
||||||
|
|
||||||
|
+def resolve_locale_filename(name):
|
||||||
|
+ """
|
||||||
|
+ Resolve a locale identifier to a `.dat` path on disk.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ # Clean up any possible relative paths.
|
||||||
|
+ name = os.path.basename(name)
|
||||||
|
+
|
||||||
|
+ # Ensure we're not left with one of the Windows reserved names.
|
||||||
|
+ if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
|
||||||
|
+ raise ValueError("Name %s is invalid on Windows" % name)
|
||||||
|
+
|
||||||
|
+ # Build the path.
|
||||||
|
+ return os.path.join(_dirname, '%s.dat' % name)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def exists(name):
|
||||||
|
"""Check whether locale data is available for the given locale.
|
||||||
|
|
||||||
|
@@ -49,7 +68,7 @@ def exists(name):
|
||||||
|
return False
|
||||||
|
if name in _cache:
|
||||||
|
return True
|
||||||
|
- file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
|
||||||
|
+ file_found = os.path.exists(resolve_locale_filename(name))
|
||||||
|
return True if file_found else bool(normalize_locale(name))
|
||||||
|
|
||||||
|
|
||||||
|
@@ -102,6 +121,7 @@ def load(name, merge_inherited=True):
|
||||||
|
:raise `IOError`: if no locale data file is found for the given locale
|
||||||
|
identifer, or one of the locales it inherits from
|
||||||
|
"""
|
||||||
|
+ name = os.path.basename(name)
|
||||||
|
_cache_lock.acquire()
|
||||||
|
try:
|
||||||
|
data = _cache.get(name)
|
||||||
|
@@ -119,7 +139,7 @@ def load(name, merge_inherited=True):
|
||||||
|
else:
|
||||||
|
parent = '_'.join(parts[:-1])
|
||||||
|
data = load(parent).copy()
|
||||||
|
- filename = os.path.join(_dirname, '%s.dat' % name)
|
||||||
|
+ filename = resolve_locale_filename(name)
|
||||||
|
with open(filename, 'rb') as fileobj:
|
||||||
|
if name != 'root' and merge_inherited:
|
||||||
|
merge(data, pickle.load(fileobj))
|
||||||
|
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
|
||||||
|
index dbacba0..4730096 100644
|
||||||
|
--- a/tests/test_localedata.py
|
||||||
|
+++ b/tests/test_localedata.py
|
||||||
|
@@ -11,11 +11,17 @@
|
||||||
|
# individuals. For the exact contribution history, see the revision
|
||||||
|
# history and logs, available at http://babel.edgewall.org/log/.
|
||||||
|
|
||||||
|
+import os
|
||||||
|
+import pickle
|
||||||
|
+import sys
|
||||||
|
+import tempfile
|
||||||
|
import unittest
|
||||||
|
import random
|
||||||
|
from operator import methodcaller
|
||||||
|
|
||||||
|
-from babel import localedata
|
||||||
|
+import pytest
|
||||||
|
+
|
||||||
|
+from babel import localedata, Locale, UnknownLocaleError
|
||||||
|
|
||||||
|
|
||||||
|
class MergeResolveTestCase(unittest.TestCase):
|
||||||
|
@@ -131,3 +137,34 @@ def test_locale_identifiers_cache(monkeypatch):
|
||||||
|
localedata.locale_identifiers.cache = None
|
||||||
|
assert localedata.locale_identifiers()
|
||||||
|
assert len(listdir_calls) == 2
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def test_locale_name_cleanup():
|
||||||
|
+ """
|
||||||
|
+ Test that locale identifiers are cleaned up to avoid directory traversal.
|
||||||
|
+ """
|
||||||
|
+ no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
|
||||||
|
+ with open(no_exist_name, "wb") as f:
|
||||||
|
+ pickle.dump({}, f)
|
||||||
|
+
|
||||||
|
+ try:
|
||||||
|
+ name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
|
||||||
|
+ except ValueError:
|
||||||
|
+ if sys.platform == "win32":
|
||||||
|
+ pytest.skip("unable to form relpath")
|
||||||
|
+ raise
|
||||||
|
+
|
||||||
|
+ assert not localedata.exists(name)
|
||||||
|
+ with pytest.raises(IOError):
|
||||||
|
+ localedata.load(name)
|
||||||
|
+ with pytest.raises(UnknownLocaleError):
|
||||||
|
+ Locale(name)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
|
||||||
|
+def test_reserved_locale_names():
|
||||||
|
+ for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ localedata.load(name)
|
||||||
|
+ with pytest.raises(ValueError):
|
||||||
|
+ Locale(name)
|
163
SPECS/babel.spec
163
SPECS/babel.spec
@ -4,34 +4,55 @@
|
|||||||
# There is some bootstrapping involved when upgrading Python 3
|
# There is some bootstrapping involved when upgrading Python 3
|
||||||
# First of all we need babel (this package) to use sphinx
|
# First of all we need babel (this package) to use sphinx
|
||||||
# And pytest is at this point not yet ready
|
# And pytest is at this point not yet ready
|
||||||
%bcond_with bootstrap
|
%bcond_without bootstrap
|
||||||
|
|
||||||
|
%bcond_with python2
|
||||||
|
|
||||||
Name: babel
|
Name: babel
|
||||||
Version: 2.9.1
|
Version: 2.7.0
|
||||||
Release: 2%{?dist}
|
Release: 11%{?dist}
|
||||||
Summary: Tools for internationalizing Python applications
|
Summary: Tools for internationalizing Python applications
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://babel.pocoo.org/
|
URL: http://babel.pocoo.org/
|
||||||
Source0: %{pypi_source}
|
Source0: https://files.pythonhosted.org/packages/source/B/%{srcname}/%{srcname}-%{version}.tar.gz
|
||||||
|
|
||||||
|
# Fix CVE-2021-20095: relative path traversal allows an attacker to load
|
||||||
|
# arbitrary locale files on disk and execute arbitrary code
|
||||||
|
# Resolved upstream: https://github.com/python-babel/babel/pull/782/
|
||||||
|
# CVE bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1955615
|
||||||
|
Patch1: CVE-2021-20095.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
# Exclude i686 arch. Due to a modularity issue it's being added to the
|
||||||
|
# x86_64 compose of CRB, but we don't want to ship it at all.
|
||||||
|
# See: https://projects.engineering.redhat.com/browse/RCM-72605
|
||||||
|
ExcludeArch: i686
|
||||||
|
|
||||||
BuildRequires: python3-devel
|
%if %{with python2}
|
||||||
BuildRequires: python3-setuptools
|
BuildRequires: python2-devel
|
||||||
|
BuildRequires: python2-setuptools
|
||||||
|
%if %{with python2_pytest}
|
||||||
|
BuildRequires: python2-pytz
|
||||||
|
BuildRequires: python2-pytest
|
||||||
|
BuildRequires: python2-freezegun
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
BuildRequires: python%{python3_pkgversion}-devel
|
||||||
|
BuildRequires: python%{python3_pkgversion}-setuptools
|
||||||
|
BuildRequires: python%{python3_pkgversion}-rpm-macros
|
||||||
%if !%{with bootstrap}
|
%if !%{with bootstrap}
|
||||||
BuildRequires: python3-pytz
|
BuildRequires: python%{python3_pkgversion}-pytz
|
||||||
BuildRequires: python3-pytest
|
BuildRequires: python%{python3_pkgversion}-pytest
|
||||||
|
BuildRequires: python%{python3_pkgversion}-freezegun
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# build the documentation
|
# build the documentation
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
|
|
||||||
%if !%{with bootstrap}
|
%if !%{with bootstrap}
|
||||||
BuildRequires: python3-sphinx
|
BuildRequires: python%{python3_pkgversion}-sphinx
|
||||||
%endif
|
%endif
|
||||||
Requires: python3-babel
|
|
||||||
Requires: python3-setuptools
|
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -44,15 +65,35 @@ Babel is composed of two major parts:
|
|||||||
and date formatting, etc.
|
and date formatting, etc.
|
||||||
|
|
||||||
|
|
||||||
%package -n python3-babel
|
%if %{with python2}
|
||||||
|
%package -n python2-babel
|
||||||
Summary: %sum
|
Summary: %sum
|
||||||
|
|
||||||
Requires: python3-setuptools
|
Requires: python2-setuptools
|
||||||
Requires: python3-pytz
|
Requires: python2-pytz
|
||||||
|
|
||||||
%{?python_provide:%python_provide python3-babel}
|
%{?python_provide:%python_provide python2-babel}
|
||||||
|
|
||||||
%description -n python3-babel
|
%description -n python2-babel
|
||||||
|
Babel is composed of two major parts:
|
||||||
|
|
||||||
|
* tools to build and work with gettext message catalogs
|
||||||
|
|
||||||
|
* a Python interface to the CLDR (Common Locale Data Repository),
|
||||||
|
providing access to various locale display names, localized number
|
||||||
|
and date formatting, etc.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%package -n python%{python3_pkgversion}-babel
|
||||||
|
Summary: %sum
|
||||||
|
|
||||||
|
Requires: python%{python3_pkgversion}-setuptools
|
||||||
|
Requires: python%{python3_pkgversion}-pytz
|
||||||
|
|
||||||
|
%{?python_provide:%python_provide python%{python3_pkgversion}-babel}
|
||||||
|
|
||||||
|
%description -n python%{python3_pkgversion}-babel
|
||||||
Babel is composed of two major parts:
|
Babel is composed of two major parts:
|
||||||
|
|
||||||
* tools to build and work with gettext message catalogs
|
* tools to build and work with gettext message catalogs
|
||||||
@ -65,6 +106,7 @@ Babel is composed of two major parts:
|
|||||||
%package doc
|
%package doc
|
||||||
Summary: Documentation for Babel
|
Summary: Documentation for Babel
|
||||||
Provides: python-babel-doc = %{version}-%{release}
|
Provides: python-babel-doc = %{version}-%{release}
|
||||||
|
Provides: python2-babel-doc = %{version}-%{release}
|
||||||
Provides: python3-babel-doc = %{version}-%{release}
|
Provides: python3-babel-doc = %{version}-%{release}
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
@ -72,9 +114,12 @@ Documentation for Babel
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n %{srcname}-%{version}
|
%autosetup -n %{srcname}-%{version} -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
%if %{with python2}
|
||||||
|
%py2_build
|
||||||
|
%endif
|
||||||
%py3_build
|
%py3_build
|
||||||
|
|
||||||
BUILDDIR="$PWD/built-docs"
|
BUILDDIR="$PWD/built-docs"
|
||||||
@ -91,23 +136,36 @@ rm -f "$BUILDDIR/html/.buildinfo"
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
%if %{with python2}
|
||||||
|
%py2_install
|
||||||
|
%endif
|
||||||
%py3_install
|
%py3_install
|
||||||
|
|
||||||
|
mv %{buildroot}%{_bindir}/pybabel %{buildroot}%{_bindir}/pybabel-%{python3_version}
|
||||||
|
|
||||||
%check
|
%check
|
||||||
export TZ=UTC
|
export TZ=America/New_York
|
||||||
|
%if %{with python2} && %{with python2_pytest}
|
||||||
|
%{__python2} -m pytest
|
||||||
|
%endif
|
||||||
%if !%{with bootstrap}
|
%if !%{with bootstrap}
|
||||||
# tests/messages/test_frontend.py and tests/test_dates require freezegun
|
%{__python3} -m pytest
|
||||||
%{__python3} -m pytest --ignore tests/messages/test_frontend.py --ignore tests/test_dates.py
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files
|
%if %{with python2}
|
||||||
|
%files -n python2-babel
|
||||||
%doc CHANGES AUTHORS
|
%doc CHANGES AUTHORS
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%{_bindir}/pybabel
|
%{python2_sitelib}/Babel-%{version}-py*.egg-info
|
||||||
|
%{python2_sitelib}/babel
|
||||||
|
%endif
|
||||||
|
|
||||||
%files -n python3-babel
|
%files -n python%{python3_pkgversion}-babel
|
||||||
%{python3_sitelib}/Babel-%{version}-py*.egg-info/
|
%doc CHANGES AUTHORS
|
||||||
%{python3_sitelib}/babel/
|
%license LICENSE
|
||||||
|
%{python3_sitelib}/Babel-%{version}-py*.egg-info
|
||||||
|
%{python3_sitelib}/babel
|
||||||
|
%{_bindir}/pybabel-%{python3_version}
|
||||||
|
|
||||||
%if !%{with bootstrap}
|
%if !%{with bootstrap}
|
||||||
%files doc
|
%files doc
|
||||||
@ -115,54 +173,19 @@ export TZ=UTC
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.1-2
|
* Wed May 12 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.7.0-11
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Fix CVE-2021-20095
|
||||||
Related: rhbz#1991688
|
|
||||||
|
|
||||||
* Fri May 21 2021 Charalampos Stratakis <cstratak@redhat.com> - 2.9.1-1
|
|
||||||
- Update to 2.9.1.
|
|
||||||
- Fixes CVE-2021-20095
|
|
||||||
Resolves: rhbz#1955615
|
Resolves: rhbz#1955615
|
||||||
|
|
||||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.9.0-6
|
* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.7.0-10
|
||||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
- Exclude unsupported i686 arch
|
||||||
|
|
||||||
* Tue Apr 13 2021 Miro Hrončok <mhroncok@redhat.com> - 2.9.0-5
|
* Tue Dec 03 2019 Tomas Orsava <torsava@redhat.com> - 2.7.0-9
|
||||||
- Drop build dependency on python-freezegun
|
- Rename the pybabel executable to pybabel-3.8 and move it to the
|
||||||
- Resolves: rhbz#1947517
|
python38-babel package
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.0-4
|
* Wed Nov 20 2019 Lumír Balhar <lbalhar@redhat.com> - 2.7.0-8
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Adjusted for Python 3.8 module in RHEL 8
|
||||||
|
|
||||||
* Mon Dec 21 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9.0-3
|
|
||||||
- Disable Python 2 build entirely
|
|
||||||
|
|
||||||
* Tue Nov 24 2020 Miro Hrončok <mhroncok@redhat.com>
|
|
||||||
- Disable Python 2 build on RHEL 9+
|
|
||||||
|
|
||||||
* Mon Nov 16 22:22:25 CET 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9.0-1
|
|
||||||
- update to 2.9.0
|
|
||||||
|
|
||||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.0-7
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.8.0-6
|
|
||||||
- Rebuilt for Python 3.9
|
|
||||||
|
|
||||||
* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 2.8.0-5
|
|
||||||
- Bootstrap for Python 3.9
|
|
||||||
|
|
||||||
* Fri May 08 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.0-4
|
|
||||||
- reenable Python 2 subpackage for Fedora 33+ (rhbz #1737930)
|
|
||||||
|
|
||||||
* Tue May 05 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.0-3
|
|
||||||
- add patch for compatibility with Python 3.9a6
|
|
||||||
|
|
||||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jan 02 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.8.0-1
|
|
||||||
- update to upstream version 2.8.0
|
|
||||||
|
|
||||||
* Thu Oct 31 2019 Nils Philippsen <nils@tiptoe.de> - 2.7.0-7
|
* Thu Oct 31 2019 Nils Philippsen <nils@tiptoe.de> - 2.7.0-7
|
||||||
- drop python2-babel only from F33 on as it is needed for trac (for the time
|
- drop python2-babel only from F33 on as it is needed for trac (for the time
|
||||||
|
Loading…
Reference in New Issue
Block a user