Security fix for CVE-2025-27516
Resolves: RHEL-85066
This commit is contained in:
parent
eaf71f04c3
commit
39e6bb3bce
81
CVE-2025-27516.patch
Normal file
81
CVE-2025-27516.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 286c463968e9f55b4bd7a860161182fe55bc7632 Mon Sep 17 00:00:00 2001
|
||||
From: Lumir Balhar <lbalhar@redhat.com>
|
||||
Date: Wed, 26 Mar 2025 22:03:02 +0100
|
||||
Subject: [PATCH] CVE-2025-27516
|
||||
|
||||
---
|
||||
Jinja2-2.10.1/jinja2/filters.py | 28 +++++++++++-----------------
|
||||
Jinja2-2.10.1/tests/test_security.py | 10 ++++++++++
|
||||
2 files changed, 21 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/Jinja2-2.10.1/jinja2/filters.py b/Jinja2-2.10.1/jinja2/filters.py
|
||||
index 3e33f57..9816094 100644
|
||||
--- a/Jinja2-2.10.1/jinja2/filters.py
|
||||
+++ b/Jinja2-2.10.1/jinja2/filters.py
|
||||
@@ -13,6 +13,7 @@ import math
|
||||
import random
|
||||
import warnings
|
||||
|
||||
+from inspect import getattr_static
|
||||
from itertools import groupby, chain
|
||||
from collections import namedtuple
|
||||
from jinja2.utils import Markup, escape, pformat, urlize, soft_unicode, \
|
||||
@@ -931,27 +932,20 @@ def do_reverse(value):
|
||||
|
||||
@environmentfilter
|
||||
def do_attr(environment, obj, name):
|
||||
- """Get an attribute of an object. ``foo|attr("bar")`` works like
|
||||
- ``foo.bar`` just that always an attribute is returned and items are not
|
||||
- looked up.
|
||||
+ """Get an attribute of an object. ``foo|attr("bar")`` works like
|
||||
+ ``foo.bar``, but returns undefined instead of falling back to ``foo["bar"]``
|
||||
+ if the attribute doesn't exist.
|
||||
|
||||
See :ref:`Notes on subscriptions <notes-on-subscriptions>` for more details.
|
||||
"""
|
||||
try:
|
||||
- name = str(name)
|
||||
- except UnicodeError:
|
||||
- pass
|
||||
- else:
|
||||
- try:
|
||||
- value = getattr(obj, name)
|
||||
- except AttributeError:
|
||||
- pass
|
||||
- else:
|
||||
- if environment.sandboxed and not \
|
||||
- environment.is_safe_attribute(obj, name, value):
|
||||
- return environment.unsafe_undefined(obj, name)
|
||||
- return value
|
||||
- return environment.undefined(obj=obj, name=name)
|
||||
+ getattr_static(obj, name)
|
||||
+ except AttributeError:
|
||||
+ # This finds dynamic attrs, and we know it's not a descriptor at this point.
|
||||
+ if not hasattr(obj, name):
|
||||
+ return environment.undefined(obj=obj, name=name)
|
||||
+
|
||||
+ return environment.getattr(obj, name)
|
||||
|
||||
|
||||
@contextfilter
|
||||
diff --git a/Jinja2-2.10.1/tests/test_security.py b/Jinja2-2.10.1/tests/test_security.py
|
||||
index 1719644..b2ba1a3 100644
|
||||
--- a/Jinja2-2.10.1/tests/test_security.py
|
||||
+++ b/Jinja2-2.10.1/tests/test_security.py
|
||||
@@ -223,3 +223,13 @@ class TestStringFormatMap(object):
|
||||
|
||||
with pytest.raises(SecurityError):
|
||||
t.render()
|
||||
+
|
||||
+ def test_attr_filter(self) -> None:
|
||||
+ env = SandboxedEnvironment()
|
||||
+ t = env.from_string(
|
||||
+ """{{ "{0.__call__.__builtins__[__import__]}"
|
||||
+ | attr("format")(not_here) }}"""
|
||||
+ )
|
||||
+
|
||||
+ with pytest.raises(SecurityError):
|
||||
+ t.render()
|
||||
--
|
||||
2.49.0
|
||||
|
@ -27,7 +27,7 @@
|
||||
|
||||
Name: python-jinja2
|
||||
Version: 2.10.1
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: General purpose template engine
|
||||
Group: Development/Languages
|
||||
License: BSD
|
||||
@ -54,6 +54,12 @@ Patch2: CVE-2024-34064.patch
|
||||
# Patch backported from upstream without changelog and typing.
|
||||
Patch3: CVE-2024-56326.patch
|
||||
|
||||
# Security fix for CVE-2025-27516
|
||||
# Resolved upstream: https://github.com/pallets/jinja/commit/90457bbf33b8662926ae65cdde4c4c32e756e403
|
||||
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2025-27516
|
||||
# Patch backported from upstream without changelog.
|
||||
Patch4: CVE-2025-27516.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
@ -133,6 +139,7 @@ environments.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
|
||||
# cleanup
|
||||
@ -235,6 +242,10 @@ popd
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Mar 26 2025 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-7
|
||||
- Security fix for CVE-2025-27516
|
||||
Resolves: RHEL-85066
|
||||
|
||||
* Wed Jan 22 2025 Lumír Balhar <lbalhar@redhat.com> - 2.10.1-6
|
||||
- Security fix for CVE-2024-56326
|
||||
Resolves: RHEL-74677
|
||||
|
Loading…
Reference in New Issue
Block a user