rpms/python-jinja2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fix for CVE-2025-27516

Browse Source 
Resolves: RHEL-85066
This commit is contained in:
Lumir Balhar 2025-03-26 21:52:57 +01:00
parent eaf71f04c3
commit 39e6bb3bce
2 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
CVE-2025-27516.patch Normal file
View File

@ -0,0 +1,81 @@
From 286c463968e9f55b4bd7a860161182fe55bc7632 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Wed, 26 Mar 2025 22:03:02 +0100
Subject: [PATCH] CVE-2025-27516
---
Jinja2-2.10.1/jinja2/filters.py | 28 +++++++++++-----------------
Jinja2-2.10.1/tests/test_security.py | 10 ++++++++++
2 files changed, 21 insertions(+), 17 deletions(-)
diff --git a/Jinja2-2.10.1/jinja2/filters.py b/Jinja2-2.10.1/jinja2/filters.py
index 3e33f57..9816094 100644
--- a/Jinja2-2.10.1/jinja2/filters.py
+++ b/Jinja2-2.10.1/jinja2/filters.py
@@ -13,6 +13,7 @@ import math
import random
import warnings
+from inspect import getattr_static
from itertools import groupby, chain
from collections import namedtuple
from jinja2.utils import Markup, escape, pformat, urlize, soft_unicode, \
@@ -931,27 +932,20 @@ def do_reverse(value):
@environmentfilter
def do_attr(environment, obj, name):
- """Get an attribute of an object. ``foo|attr("bar")`` works like
- ``foo.bar`` just that always an attribute is returned and items are not
- looked up.
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
+ ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
+ if the attribute doesn't exist.
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
"""
try:
- name = str(name)
- except UnicodeError:
- pass
- else:
- try:
- value = getattr(obj, name)
- except AttributeError:
- pass
- else:
- if environment.sandboxed and not \
- environment.is_safe_attribute(obj, name, value):
- return environment.unsafe_undefined(obj, name)
- return value
- return environment.undefined(obj=obj, name=name)
+ getattr_static(obj, name)
+ except AttributeError:
+ # This finds dynamic attrs, and we know it's not a descriptor at this point.
+ if not hasattr(obj, name):
+ return environment.undefined(obj=obj, name=name)
+
+ return environment.getattr(obj, name)
@contextfilter
diff --git a/Jinja2-2.10.1/tests/test_security.py b/Jinja2-2.10.1/tests/test_security.py
index 1719644..b2ba1a3 100644
--- a/Jinja2-2.10.1/tests/test_security.py
+++ b/Jinja2-2.10.1/tests/test_security.py
@@ -223,3 +223,13 @@ class TestStringFormatMap(object):
with pytest.raises(SecurityError):
t.render()
+
+ def test_attr_filter(self) -> None:
+ env = SandboxedEnvironment()
+ t = env.from_string(
+ """{{ "{0.__call__.__builtins__[__import__]}"
+ | attr("format")(not_here) }}"""
+ )
+
+ with pytest.raises(SecurityError):
+ t.render()
--
2.49.0

13
python-jinja2.spec
View File

@ -27,7 +27,7 @@
Name: python-jinja2
Version: 2.10.1
Release: 6%{?dist}
Release: 7%{?dist}
Summary: General purpose template engine
Group: Development/Languages
License: BSD
@ -54,6 +54,12 @@ Patch2: CVE-2024-34064.patch
# Patch backported from upstream without changelog and typing.
Patch3: CVE-2024-56326.patch
# Security fix for CVE-2025-27516
# Resolved upstream: https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-27516
# Patch backported from upstream without changelog.
Patch4: CVE-2025-27516.patch
BuildArch: noarch
%description
@ -133,6 +139,7 @@ environments.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
# cleanup
@ -235,6 +242,10 @@ popd
%changelog
* Wed Mar 26 2025 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-7
- Security fix for CVE-2025-27516
Resolves: RHEL-85066
* Wed Jan 22 2025 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-6
- Security fix for CVE-2024-56326
Resolves: RHEL-74677